Hi All,
I use rest methods (GET, POST, DELETE) (OPTIONS by the browser)
in my project (GUI that runs in a browser and queries confd).
With confd-6.5 i have no problem but, with confd-7.3 I have CORS problem.
I have identified the problem.
The browser sends OPTIONS request before the get request for CORS.
In confd-6.5 I can use rest and the OPTIONS request doesn’t need to have basic auth in the header.
curl -v -H “Accept: application/yang-data+json” \ http://localhost:8008/restconf/data/dynamic-attributes/dyn-attr-config -X OPTIONS
< HTTP/1.1 200 OK
< Server:
< Allow: DELETE, GET, HEAD, PATCH, POST, PUT, OPTIONS
< Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
< Content-Length: 0
< Content-Type: text/html
< Accept-Patch: application/yang-data+xml, application/yang-data+json
< Access-Control-Allow-Headers: Accept,…
< Access-Control-Allow-Methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Origin: *
< Pragma: no-cache
For confd-7.3 rest is depreciated, but this is allowed (sec 24.9 pg 477 of confd_user_guide-7.3)
<restconf>
<enabled>true</enabled>
<customHeaders>
<header>
<name>Access-Control-Allow-Origin</name>
<value>*</value>
</header>
</customHeaders>
</restconf>
But, it seems like it expects the OPTIONS request to have basic auth as well, and that’s the cause of the failure
curl -v -H “Accept$
application/yang-data+json” \ http://localhost:8008/restconf/data/dynamic-attributes/dyn-attr-config -X OPTIONS
< HTTP/1.1 401 Unauthorized
< Date: Thu, 15 Oct 2020 04:50:22 GMT
< Content-Length: 169
< Content-Type: application/yang-data+xml
< WWW-Authenticate: Basic realm="restconf"
< Content-Security-Policy: default-src 'self'; block-all-mixed-content; base-uri
'self'; frame-ancestors 'none';
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
Whereas, if I send basic auth with it, it works,
curl -v -H “Accept:
application/yang-data+json” \ http://localhost:8008/restconf/data/dynamic-attributes/dyn-attr-config -X OPTIONS -u admin:a
dmin
< HTTP/1.1 200 OK
< Date: Thu, 15 Oct 2020 04:50:48 GMT
< Allow: DELETE, GET, HEAD, PATCH, POST, PUT, OPTIONS
< Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< Pragma: no-cache
< Accept-Patch: application/yang-data+xml, application/yang-data+json
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: Accept,...
Any insights on how to tackle this problem (any confd.conf changes?)
Thanks