diff --git a/apis/v1/httproute_types.go b/apis/v1/httproute_types.go index 07b149127d..384ae095b0 100644 --- a/apis/v1/httproute_types.go +++ b/apis/v1/httproute_types.go @@ -1391,10 +1391,9 @@ type HTTPCORSFilter struct { // the CORS headers. The cross-origin request fails on the client side. // Therefore, the client doesn't attempt the actual cross-origin request. // - // The `Access-Control-Allow-Origin` response header can only use `*` - // wildcard as value when the `AllowCredentials` field is false or omitted. - // - // When the `AllowCredentials` field is true and `AllowOrigins` field + // When the request is credentialed, the gateway must not specify the `*` + // wildcard in the `Access-Control-Allow-Origin` response header. When + // also the `AllowCredentials` field is true and `AllowOrigins` field // specified with the `*` wildcard, the gateway must return a single origin // in the value of the `Access-Control-Allow-Origin` response header, // instead of specifying the `*` wildcard. The value of the header @@ -1452,15 +1451,19 @@ type HTTPCORSFilter struct { // The `Access-Control-Allow-Methods` response header can only use `*` // wildcard as value when the `AllowCredentials` field is false or omitted. // - // When the `AllowCredentials` field is true and `AllowMethods` field + // When the request is credentialed, the gateway must not specify the `*` + // wildcard in the `Access-Control-Allow-Methods` response header. When + // also the `AllowCredentials` field is true and `AllowMethods` field // specified with the `*` wildcard, the gateway must specify one HTTP method // in the value of the Access-Control-Allow-Methods response header. The // value of the header `Access-Control-Allow-Methods` is same as the // `Access-Control-Request-Method` header provided by the client. If the // header `Access-Control-Request-Method` is not included in the request, // the gateway will omit the `Access-Control-Allow-Methods` response header, - // instead of specifying the `*` wildcard. A Gateway implementation may - // choose to add implementation-specific default methods. + // instead of specifying the `*` wildcard. + // + // A Gateway implementation may choose to add implementation-specific + // default methods. // // Support: Extended // @@ -1495,15 +1498,19 @@ type HTTPCORSFilter struct { // The `Access-Control-Allow-Headers` response header can only use `*` // wildcard as value when the `AllowCredentials` field is false or omitted. // - // When the `AllowCredentials` field is true and `AllowHeaders` field + // When the request is credentialed, the gateway must not specify the `*` + // wildcard in the `Access-Control-Allow-Headers` response header. When + // also the `AllowCredentials` field is true and `AllowHeaders` field // specified with the `*` wildcard, the gateway must specify one or more // HTTP headers in the value of the `Access-Control-Allow-Headers` response // header. The value of the header `Access-Control-Allow-Headers` is same as // the `Access-Control-Request-Headers` header provided by the client. If // the header `Access-Control-Request-Headers` is not included in the // request, the gateway will omit the `Access-Control-Allow-Headers` - // response header, instead of specifying the `*` wildcard. A Gateway - // implementation may choose to add implementation-specific default headers. + // response header, instead of specifying the `*` wildcard. + // + // A Gateway implementation may choose to add implementation-specific + // default headers. // // Support: Extended // @@ -1539,7 +1546,7 @@ type HTTPCORSFilter struct { // // A wildcard indicates that the responses with all HTTP headers are exposed // to clients. The `Access-Control-Expose-Headers` response header can only - // use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + // use `*` wildcard as value when the request is not credentialed. // // Support: Extended // diff --git a/geps/gep-1767/index.md b/geps/gep-1767/index.md index 14315e190c..024f1f0743 100644 --- a/geps/gep-1767/index.md +++ b/geps/gep-1767/index.md @@ -51,6 +51,7 @@ The optional response header `Access-Control-Expose-Headers` controls which HTTP If the server specifies the response header `Access-Control-Allow-Credentials: true`, the actual cross-origin request will be able to use credentials for getting sensitive resources. Credentials are cookies, TLS client certificates, or authentication headers containing a username and password. +A "credentialed request" is a request containing some credentials. After the server has permitted the CORS "preflight" request, the client will be able to send actual cross-origin request. If the server doesn't want to allow cross-origin access, it will omit the CORS headers to the client. @@ -211,8 +212,24 @@ type HTTPCORSFilter struct { // // Output: // - // The `Access-Control-Allow-Origin` response header can only use `*` - // wildcard as value when the `AllowCredentials` field is false. + // Conversely, if the request `Origin` matches one of the configured + // allowed origins, the gateway sets the response header + // `Access-Control-Allow-Origin` to the same value as the `Origin` + // header provided by the client. + // + // Input: + // Origin: https://foo.example + // + // Config: + // allowOrigins: ["https://foo.example", "http://test.example"] + // + // Output: + // Access-Control-Allow-Origin: https://foo.example + // + // When config has the wildcard ("*") in allowOrigins, and the request + // is not credentialed (e.g., it is a preflight request), the + // `Access-Control-Allow-Origin` response header contains the + // wildcard as well. // // Input: // Origin: https://foo.example @@ -223,7 +240,9 @@ type HTTPCORSFilter struct { // Output: // Access-Control-Allow-Origin: * // - // When the `AllowCredentials` field is true and `AllowOrigins` + // When the request is credentialed, the gateway must not specify the `*` + // wildcard in the `Access-Control-Allow-Origin` response header. When + // additionally the `AllowCredentials` field is true and `AllowOrigins` // field specified with the `*` wildcard, the gateway must return a // single origin in the value of the `Access-Control-Allow-Origin` // response header, instead of specifying the `*` wildcard. The value @@ -232,6 +251,7 @@ type HTTPCORSFilter struct { // // Input: // Origin: https://foo.example + // Cookie: foo=bar // // Config: // allowOrigins: ["*"] @@ -304,8 +324,9 @@ type HTTPCORSFilter struct { // Output: // Access-Control-Allow-Methods: GET, POST, DELETE, PATCH, OPTIONS // - // The `Access-Control-Allow-Methods` response header can only use `*` - // wildcard as value when the `AllowCredentials` field is false. + // The `Access-Control-Allow-Methods` response header should use `*` + // wildcard as value if config contains the wildcard "*" in allowMethods + // unless the request is credentialed. // // Input: // Access-Control-Request-Method: PUT @@ -316,7 +337,9 @@ type HTTPCORSFilter struct { // Output: // Access-Control-Allow-Methods: * // - // When the `AllowCredentials` field is true and the `AllowMethods` + // When the request is credentialed, the gateway must not specify the `*` + // wildcard in the `Access-Control-Allow-Methods` response header. When + // also the `AllowCredentials` field is true and `AllowMethods` // field specified with the `*` wildcard, the gateway must specify one // HTTP method in the value of the Access-Control-Allow-Methods response // header. The value of the header `Access-Control-Allow-Methods` is same @@ -329,6 +352,7 @@ type HTTPCORSFilter struct { // // Input: // Access-Control-Request-Method: PUT + // Cookie: foo=bar // // Config: // allowMethods: ["*"] @@ -363,6 +387,9 @@ type HTTPCORSFilter struct { // If any header name in the `Access-Control-Allow-Headers` response header does // not recognize by the client, it will also occur an error on the client side. // + // A Gateway implementation may choose to add implementation-specific + // default headers. + // // Input: // Access-Control-Request-Headers: Cache-Control, Content-Type // @@ -374,7 +401,7 @@ type HTTPCORSFilter struct { // // A wildcard indicates that the requests with all HTTP headers are allowed. // The `Access-Control-Allow-Headers` response header can only use `*` wildcard - // as value when the `AllowCredentials` field is false. + // as value when the request is not credentialed. // // Input: // Access-Control-Request-Headers: Content-Type, Cache-Control @@ -385,18 +412,20 @@ type HTTPCORSFilter struct { // Output: // Access-Control-Allow-Headers: * // - // When the `AllowCredentials` field is true and the `AllowHeaders` field + // When the request is credentialed, the gateway must not specify the `*` + // wildcard in the `Access-Control-Allow-Headers` response header. When + // also the `AllowCredentials` field is true and the `AllowHeaders` field // is specified with the `*` wildcard, the gateway must specify one or more // HTTP headers in the value of the `Access-Control-Allow-Headers` response // header. The value of the header `Access-Control-Allow-Headers` is same as // the `Access-Control-Request-Headers` header provided by the client. If // the header `Access-Control-Request-Headers` is not included in the request, // the gateway will omit the `Access-Control-Allow-Headers` response header, - // instead of specifying the `*` wildcard. A Gateway implementation may choose - // to add implementation-specific default headers. + // instead of specifying the `*` wildcard. // // Input: // Access-Control-Request-Headers: Content-Type, Cache-Control + // Cookie: foo=bar // // Config: // allowHeaders: ["*"] @@ -444,7 +473,7 @@ type HTTPCORSFilter struct { // // A wildcard indicates that the responses with all HTTP headers are exposed // to clients. The `Access-Control-Expose-Headers` response header can only use - // `*` wildcard as value when the `AllowCredentials` field is false. + // the `*` wildcard as value when the request is not credentialed. // // Config: // exposeHeaders: ["*"] @@ -452,6 +481,19 @@ type HTTPCORSFilter struct { // Output: // Access-Control-Expose-Headers: * // + // When the `exposeHeaders` config field contains the "*" wildcard and + // the request is credentialed, the gateway cannot use the `*` wildcard in + // the `Access-Control-Expose-Headers` response header. + // + // Input: + // Cookie: foo=bar + // + // Config: + // exposeHeaders: ["*"] + // + // Output: + // Access-Control-Expose-Headers: Content-Encoding, Kuma-Revision + // // Support: Extended // // +optional diff --git a/geps/gep-1767/metadata.yaml b/geps/gep-1767/metadata.yaml index e319aacd1c..8594a4074e 100644 --- a/geps/gep-1767/metadata.yaml +++ b/geps/gep-1767/metadata.yaml @@ -8,9 +8,11 @@ authors: - robscott - EyalPazz - shaneutt + - DamianSawicki references: - https://github.com/kubernetes-sigs/gateway-api/pull/3435 - https://github.com/kubernetes-sigs/gateway-api/pull/3637 - https://github.com/kubernetes-sigs/gateway-api/pull/3656 - https://github.com/kubernetes-sigs/gateway-api/pull/3668 + - https://github.com/kubernetes-sigs/gateway-api/pull/4281