Hello I m having an issue with our Cerbos deployment Somehow Cerbos Community #help

Hello! I'm having an issue with our Cerbos deploym...

Arthur Fiorette

08/29/2024, 9:20 PM

Hello! I'm having an issue with our Cerbos deployment. Somehow

Access-Control-Allow-Origin

header is being sent twice, which then throws a CORS error for any request sent to it.

Copy code

Access to fetch at '<https://zephyr-cerbos-dev.zephyr-cloud.io/api/check/resources>' from origin '<http://localhost:3000>' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, <http://dev.zephyr-cloud.io|dev.zephyr-cloud.io>', but only one is allowed. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

What's the fastest way to debug and solve this issue?

Dennis (Cerbos)

08/30/2024, 12:20 AM

Hi Arthur! What’s in the

server -> cors

section of your Cerbos config?

Dennis (Cerbos)

08/30/2024, 12:30 AM

Also, what are the CORS settings of the API Gateway?

Arthur Fiorette

08/30/2024, 12:12 PM

OK that duplicated cors value problem was another team member testing our gateway headers configuration to see if there was anything suspicious there. The real problem (when nothing custom is set on our nginx gateway) is that

OPTIONS

requests have no

CORS

headers in the response.

Arthur Fiorette

08/30/2024, 12:13 PM

that's our server config:

Copy code

server:
  adminAPI:
    enabled: true
    adminCredentials:
      username: <username>
      passwordHash: <hash>

Arthur Fiorette

08/30/2024, 12:13 PM

nothing related to cors at all

Arthur Fiorette

08/30/2024, 12:18 PM

`POST`/`GET`... requests were returning allow origin =

but our problem was that on Firefox browsers a preflight request was being made (on Chromium only the

POST

is being sent) and in this OPTIONS request, a

501 Method Now Allowed

was being sent without any cors headers

Arthur Fiorette

08/30/2024, 12:21 PM

We temporarily solved this by adding a "if method === OPTIONS reply with cors headers" in our reverse proxy but I think this shouldn't be the final solution

Dennis (Cerbos)

08/30/2024, 7:35 PM

Can you add this

cors

section to your server config?

Copy code

server:
  cors: # CORS defines the CORS configuration for the server.
    allowedHeaders: ['content-type', 'user-agent'] # AllowedHeaders is the contents of the allowed-headers header.
    allowedOrigins: ['*'] # AllowedOrigins is the contents of the allowed-origins header.
    disabled: false # Disabled sets whether CORS is disabled.
    maxAge: 10s # MaxAge is the max age of the CORS preflight check.

Open in Slack

Previous Next