dgraph icon indicating copy to clipboard operation
dgraph copied to clipboard
verified publisher icon dgraph-io

[BUG]: Dgraph.Allow-Origin CORS setting does not work as docs claim

Open ericwhitefield opened this issue 2 years ago • 0 comments

What version of Dgraph are you using?

Current DGraph Cloud version

Tell us a little more about your go-environment?

DGraph Cloud

Have you tried reproducing the issue with the latest release?

None

What is the hardware spec (RAM, CPU, OS)?

DGraph Cloud

What steps will reproduce the bug?

Try to apply a CORS setting. It won't work.

Expected behavior and actual result.

CORS settings get applied.

Additional information

Documentation here: https://dgraph.io/docs/graphql/security/cors/

Claims that adding config line(s) to the bottom of the Schema file will modify the Response header accordingly.

Perhaps "star" would be a special case. Or perhaps not. The Docs do not specify if a "star" would cause the Response header to contain "star", OR if the header would echo back the Referrer header of the Request. Either way, it's not currently working.

For specifically listed domains one might assume the Response header would echo back the Request's "Referrer" header.

# Dgraph.Allow-Origin "*"

Expected response header:

access-control-allow-origin: *

Actual response header: ❌

access-control-allow-origin: https://cloud.dgraph.io

# Dgraph.Allow-Origin "https://localhost:3000"
# Dgraph.Allow-Origin "https://example.com"

Expected response header from a request from https://localhost:3000

access-control-allow-origin: https://localhost:3000

Actual response header: ❌

access-control-allow-origin: https://cloud.dgraph.io

# Dgraph.Allow-Origin "https://localhost:3000"
# Dgraph.Allow-Origin "https://example.com"

Expected response header from a request from https://example.com

access-control-allow-origin: https://example.com

Actual response header: ❌

access-control-allow-origin: https://cloud.dgraph.io

# Dgraph.Allow-Origin "https://localhost:3000"
# Dgraph.Allow-Origin "https://example.com"

Expected response header from a request from https://cloud.dgraph.io

access-control-allow-origin: https://cloud.dgraph.io

Actual response header: ✅

access-control-allow-origin: https://cloud.dgraph.io

ericwhitefield avatar Oct 09 '23 19:10 ericwhitefield