-
Type: Bug
-
Status: Resolved
-
Priority: Major
-
Resolution: Not A Bug
-
Affects Version/s: 10.10
-
Fix Version/s: None
-
Component/s: Web Common
-
Tags:
-
Backlog priority:700
-
Sprint:nxplatform #95
-
Story Points:5
Using a strict CORS config with reverse proxy enabled causes requests with the same source and target URI to be denied even though server debug logging indicates that it should be allowed.
Steps to Reproduce:
1. Set up a reverse proxy with a simple virtual host definition - for example using Apache2 (in httpd.conf):
<VirtualHost *:80> RequestHeader append nuxeo-virtual-host "http://my.example.com/" ProxyRequests Off ProxyPass /nuxeo/ http://localhost:8080/nuxeo/ ProxyPassReverse /nuxeo/ http://localhost:8080/nuxeo/ ServerName my.example.com </VirtualHost>
Be sure to map the domain name in your hosts file:
127.0.0.1 my.example.com
2. Set up a strict CORS configuration - for example, the following allowing Microsoft IDP redirect:
<require>org.nuxeo.ecm.platform.ui.web.cors.config</require> <extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point="corsConfig"> <corsConfig name="idp" supportedMethods="POST" allowOrigin="https://login.microsoftonline.com"> <pattern>/.*</pattern> </corsConfig> </extension>
3. Start the reverse proxy service and Nuxeo instance.
4. Access the Web UI login page using your virtual host server name (in this example, http://my.example.com/nuxeo/login.jsp)
5. Attempt to log in with default credentials.
Expected Behavior: login proceeds as normal.
Actual Behavior: login fails with CORS Origin denied error.
While NuxeoCorsCsrfFilter indicates the request should be allowed because the source and target URIs are the same (my.example.com in this case), CORSConfig does not perform this check - resulting in the 403.
Note: updating the CORS config to include the virtual host name in the allowOrigin list will allow the login to proceed. After accessing Web UI, further requests will fail with 405 errors due to methods not being allowed from this domain - these must be added to the supportedMethods list. However, his workaround results in a less secure CORS configuration which may not be desirable.