Before creating a GitHub issue it seemed like a good idea to post here.
We had a recent situation where one of our APIs set
Access-Control-Allow-Origin equal to
* to allow our front-end team to locally develop against the API directly (rather than through Kong). Regretfully this code wasn’t conditional based on the environment. However, I was shocked to discover that even with the API sitting behind Kong and the Cors plugin configured the
* was still being proxied/returned.
Looking at the plugin’s
configure_origin() here it became clear that if it finds a match it sets
Access-Control-Allow-Origin to the valid origin, but if it doesn’t find a match it does nothing. Doing nothing allows the
* to get through in our case.
Instead of doing nothing when no origins match, shouldn’t the Cors plugin ensure the
Access-Control-Allow-Origin header doesn’t exist?