Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-11840

Broken CORS support: OPTIONS preflight must not require authentication. Include Access-Control-Allow-Credentials, Access-Control-Allow-Headers

    XMLWordPrintable

    Details

    • Type: Bug Report
    • Status: Closed
    • Priority: L3 - Default
    • Resolution: Fixed
    • Affects Version/s: 7.13.0
    • Fix Version/s: 7.13.0, 7.13.0-alpha5
    • Component/s: engine, rest-distro, run
    • Labels:
      None
    • Environment:
      All modern browsers

      Description

      When both camunda.bpm.run.auth.enabled (e.g. recommended by production.yml CAM-11838) and camunda.bpm.run.cors.enabled , Camunda BPM Run CORS configuration is broken, which breaks browser clients: (this is even after the origin has been configured/whitelisted using camunda.bpm.run.cors.allowed-origins)

      Access to XMLHttpRequest at 'https://camunda.example.com/engine-rest/process-definition/key/marketing.user.CloseAccount/start' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

      Specifically, the server returned 401 on (properly unauthenticated) preflight requests.
       

      1. OPTIONS preflight requests require authentication

      The W3 spec for CORS preflight requests clearly states that user credentials should be excluded. (see also: https://stackoverflow.com/a/15734032 )

      Please exclude OPTIONS in the authentication filter.

       

      2. OPTIONS response missing Access-Control-Allow-Credentials header

      See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials

       

      Should be:

      Access-Control-Allow-Credentials: true

      Important: Access-Control-Allow-Credentials is mutually exclusive with:

      Access-Control-Allow-Origin: *
      

      (https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials), and this is enforced by org.apache.catalina.filters.CorsFilter#parseAndStore meaning that for proper CORS support, it is mandatory for the administrator to set allowed origins other than *.
       

      3. OPTIONS response missing "Authorization" in Access-Control-Allow-Headers. And also (sent by Chrome) X-XSRF-Token, and just to be safe: X-CSRF-Token.

      See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers

      Currently:

      access-control-allow-headers: origin,x-requested-with,access-control-request-headers,content-type,access-control-request-method,accept

       

      Should be:

      access-control-allow-headers: origin,x-requested-with,access-control-request-headers,content-type,access-control-request-method,accept,authorization,x-xsrf-token,x-csrf-token

       

      Current Workaround

      • Not possible. Turning off authentication is not secure.
      • The only workaround is to use a server-side proxy, e.g. Pipedream

      Relevant source locations

      Related to: CAM-11290, CAM-11838

      Our experience with Camunda BPM Run: https://about.lovia.life/docs/infrastructure/camunda/

      cc Tobias Metzke-Bernstein

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              nikola.koevski Nikola Koevski
              Reporter:
              hendy Hendy Irawan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: