CORS error for OPTIONS request confd-7.3

Other Northbound Interfaces
1

Hi All,

I use rest methods (GET, POST, DELETE) (OPTIONS by the browser)
in my project (GUI that runs in a browser and queries confd).

With confd-6.5 i have no problem but, with confd-7.3 I have CORS problem.

I have identified the problem.
The browser sends OPTIONS request before the get request for CORS.


In confd-6.5 I can use rest and the OPTIONS request doesn’t need to have basic auth in the header.

curl -v -H “Accept: application/yang-data+json” \     http://localhost:8008/restconf/data/dynamic-attributes/dyn-attr-config -X OPTIONS

< HTTP/1.1 200 OK
< Server: 
< Allow: DELETE, GET, HEAD, PATCH, POST, PUT, OPTIONS
< Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
< Content-Length: 0
< Content-Type: text/html
< Accept-Patch: application/yang-data+xml, application/yang-data+json
< Access-Control-Allow-Headers: Accept,…
< Access-Control-Allow-Methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Origin: *
< Pragma: no-cache

For confd-7.3 rest is depreciated, but this is allowed (sec 24.9 pg 477 of confd_user_guide-7.3)

<restconf>
    <enabled>true</enabled>
    <customHeaders>
        <header>
          <name>Access-Control-Allow-Origin</name>
          <value>*</value>
       </header>
    </customHeaders>
</restconf>

But, it seems like it expects the OPTIONS request to have basic auth as well, and that’s the cause of the failure

curl -v -H “Accept$
 application/yang-data+json” \     http://localhost:8008/restconf/data/dynamic-attributes/dyn-attr-config -X OPTIONS

< HTTP/1.1 401 Unauthorized
< Date: Thu, 15 Oct 2020 04:50:22 GMT
< Content-Length: 169
< Content-Type: application/yang-data+xml
< WWW-Authenticate: Basic realm="restconf"
< Content-Security-Policy: default-src 'self'; block-all-mixed-content; base-uri
 'self'; frame-ancestors 'none';
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block

Whereas, if I send basic auth with it, it works,

curl -v -H “Accept:
 application/yang-data+json” \     http://localhost:8008/restconf/data/dynamic-attributes/dyn-attr-config -X OPTIONS -u admin:a
dmin

< HTTP/1.1 200 OK
< Date: Thu, 15 Oct 2020 04:50:48 GMT
< Allow: DELETE, GET, HEAD, PATCH, POST, PUT, OPTIONS
< Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< Pragma: no-cache
< Accept-Patch: application/yang-data+xml, application/yang-data+json
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: Accept,...

Any insights on how to tackle this problem (any confd.conf changes?)

Thanks :slight_smile:

2

Hi,
From the ConfD 7.3 CHANGES file:
Deny unauthorized OPTIONS requests. HTTP OPTIONS were allowed for unauthorized requests. This could lead to information leaks where an unauthenticated attacker could poke resources to check for existence. HTTP OPTIONS are now denied if they are not authenticated.
A reverse-proxy workaround is one way, if not, as The W3C CORS standard states that credentials should not be sent with CORS preflight check, open up a support case for making
it possible to disable the credentials requirement for CORS preflight.

3

Hi @cohult
I will be integrating my project with someone who uses official confd releases,
So, i think reverse proxy is the more viable option.
Is there an example of a reverse proxy? Any hints/help is much appreciated.

Thanks!!