Skip to content

Error: A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' #177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
DavidBM opened this issue Apr 20, 2015 · 27 comments
Closed

Error: A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' #177

DavidBM opened this issue Apr 20, 2015 · 27 comments

Comments

@DavidBM
Copy link

DavidBM commented Apr 20, 2015

Hi

I'm running node-server in windows in my local computer. With sockjs-client 1.0.0-beta.12 (I use browserify for bundle the frontend), when I try to connect chrome gives me this error:

XMLHttpRequest cannot load http://localhost:12540/websocket/info?t=1429552020306. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access.

It's my fault or is a error from the beta version?

client

Net.prototype.connect = function(url, port, prefix) { //url: 'localhost', port: 12540, prefix: '/websocket'
    var _this = this;

    return new Promise(function (resolve, reject) {

        _this.sock = new SockJS('http://' + url + ':' + port + prefix);

        _this.sock.onopen = resolve.bind(null, _this);
        _this.sock.onmessage = _this._message.bind(_this);
        _this.sock.onclose = _this._close.bind(_this);
    });
};

server

Net.prototype.start = function(port, prefix) { //port: 12540, prefix: '/websocket'
    this.sockjs = Sockjs.createServer({ sockjs_url: 'http://cdn.jsdelivr.net/sockjs/0.3.4/sockjs.min.js' });

    var server = http.createServer();
    this.sockjs.installHandlers(server, {prefix: prefix});
    server.listen(port, '0.0.0.0');
    return this;
};
@3rd-Eden
Copy link

The client shouldn't really change how CORS works on the web so it looks to me that was already an existing issue. It's most likely the cause of https://github.com/sockjs/sockjs-node/blob/master/src/trans-xhr.coffee#L60-L61 as it checks if null is send as origin header and just bluntly uses * as reply value.

Got steps to reproduce this? Like using InPrivate browsing mode to visit your page (this causes null to be used as Origin value for example).

@brycekahle
Copy link
Contributor

Details like browser and full request/response header dump would be really helpful.

@DavidBM
Copy link
Author

DavidBM commented Apr 20, 2015

The mentioned error is from chrome 42.0.2311.90 m in normal browsing.

This is the log from firefox developer edition (39.0a2), the output is the same in private browsing and in normal browsing:

20:34:42.013 var s = new service('localhost', '12540', '/websocket');
20:34:42.016 undefined
20:34:42.021 "sockjs-client:main " "using url" " +11s" "http://localhost:12540/websocket" bundle.js:6534:8
20:34:42.022 "sockjs-client:utils:url " "same" " +1ms" "http://localhost:12540/websocket" "file:///D:/Trabajo/Repositorios/starriser-frontend/bundle/index.html" false bundle.js:6534:8
20:34:42.023 "sockjs-client:info-receiver " "http://localhost:12540/websocket" " +1ms" bundle.js:6534:8
20:34:42.029 "sockjs-client:info-receiver " "doXhr" " +6ms" "http://localhost:12540/websocket/info" bundle.js:6534:8
20:34:42.030 "sockjs-client:browser:xhr " "GET" " +1ms" "http://localhost:12540/websocket/info" bundle.js:6534:8
20:34:42.033 "sockjs-client:browser:xhr " "withCredentials" " +3ms" bundle.js:6534:8
20:34:43.079 "sockjs-client:browser:xhr " "readyState" " +1s" 2 bundle.js:6534:8
20:34:43.080 "sockjs-client:browser:xhr " "readyState" " +1ms" 4 bundle.js:6534:8
20:34:43.081 "sockjs-client:browser:xhr " "status" " +1ms" 0 bundle.js:6534:8
20:34:43.082 "sockjs-client:browser:xhr " "finish" " +1ms" 0 "" bundle.js:6534:8
20:34:43.082 "sockjs-client:info-receiver " "finish" " +0ms" undefined undefined bundle.js:6534:8
20:34:43.083 "sockjs-client:info-receiver " "_cleanup" " +1ms" bundle.js:6534:8
20:34:43.083 "sockjs-client:main " "_receiveInfo" " +0ms" undefined bundle.js:6534:8
20:34:43.084 "sockjs-client:main " "_close" " +1ms" undefined 1002 "Cannot connect to server" undefined 0 bundle.js:6534:8
20:34:43.084 "sockjs-client:browser:xhr " "cleanup" " +0ms" bundle.js:6534:8
20:34:43.079 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:12540/websocket/info?t=1429554882033. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*'). <unknown>
20:34:43.084 ReferenceError: reference to undefined property this.transport bundle.js:35007:2
20:34:43.111 "sockjs-client:main " "disconnected" " +27ms" bundle.js:6534:8

20:34:42.022 "sockjs-client:utils:url " "same" " +1ms" "http://localhost:12540/websocket" "file:///D:/Trabajo/Repositorios/starriser-frontend/bundle/index.html" false bundle.js:6534:8

Reading this line I think that I need run a local server to retrieve the index.html and not opening the file directly.

The headers:

Response headers

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Vary: Origin
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Type: application/json; charset=UTF-8
Date: Mon, 20 Apr 2015 18:46:44 GMT
Connection: keep-alive
Transfer-Encoding: chunked

Request headers

GET /websocket/info?t=1429555604907 HTTP/1.1
Host: localhost:12540
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: null
Connection: keep-alive

@DavidBM
Copy link
Author

DavidBM commented Apr 20, 2015

Seems that a wildcard "*" is not a valid Access-Control-Allow-Headers value: http://stackoverflow.com/questions/13146892/cors-access-control-allow-headers-wildcard-being-ignored

@brycekahle
Copy link
Contributor

We aren't setting that header, from your response dump Access-Control-Allow-Origin: *. I would try running a small local server to serve up your index.html and see if that solves the issue.

@3rd-Eden
Copy link

As you can see from your the request you made the Origin header is set to null which automatically causes the SockJS server to use * as value (see linked lines of code I posted above). For some reason you're sending these headers by default.

Are you running this from a file:// protocol?

@lpinca
Copy link

lpinca commented Apr 21, 2015

Anyway the response to a "credentialed" request cannot include the Access-Control-Allow-Origin: * header [1], so SockJS is wrong here.
It must be either a single origin or the string null [2].
In this case it should be Access-Control-Allow-Origin: null.

[1] : https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials
[2] : http://www.w3.org/TR/cors/#access-control-allow-origin-response-header

@lpinca
Copy link

lpinca commented Apr 21, 2015

Reading this line I think that I need run a local server to retrieve the index.html and not opening the file directly.

This explains why the request Origin is null.

@3rd-Eden
Copy link

@lpinca Ah, I completely missed that part. Yes, so you're serving from a file:// protocol. You could run a server instead and it would "fix" the problem. But it doesn't fix the root cause and that is that SockJS is doing CORS wrong by bluntly assuming that null as Origin value should be result in a Access-Control-Allow-Origin: * while it should be Access-Control-Allow-Origin: null

@DavidBM
Copy link
Author

DavidBM commented Apr 21, 2015

With a local server works fine.

10:05:13.934 var s = new service('localhost', '12540', '/websocket');
10:05:13.936 undefined
10:05:13.940 "sockjs-client:main " "using url" " +6s" "http://localhost:12540/websocket" bundle.js:6534:8
10:05:13.940 "sockjs-client:utils:url " "same" " +0ms" "http://localhost:12540/websocket" "http://localhost:8080/index.html" false bundle.js:6534:8
10:05:13.941 "sockjs-client:info-receiver " "http://localhost:12540/websocket" " +1ms" bundle.js:6534:8
10:05:13.945 "sockjs-client:info-receiver " "doXhr" " +4ms" "http://localhost:12540/websocket/info" bundle.js:6534:8
10:05:13.945 "sockjs-client:browser:xhr " "GET" " +0ms" "http://localhost:12540/websocket/info" bundle.js:6534:8
10:05:13.947 "sockjs-client:browser:xhr " "withCredentials" " +2ms" bundle.js:6534:8
10:05:13.965 GET XHR http://localhost:12540/websocket/info [HTTP/1.1 200 OK 347ms]
10:05:14.295 "sockjs-client:browser:xhr " "readyState" " +348ms" 2 bundle.js:6534:8
10:05:14.296 "sockjs-client:browser:xhr " "readyState" " +1ms" 3 bundle.js:6534:8
10:05:14.297 "sockjs-client:browser:xhr " "status" " +1ms" 200 bundle.js:6534:8
10:05:14.297 "sockjs-client:browser:xhr " "chunk" " +0ms" bundle.js:6534:8
10:05:14.297 "sockjs-client:browser:xhr " "readyState" " +0ms" 4 bundle.js:6534:8
10:05:14.298 "sockjs-client:browser:xhr " "status" " +1ms" 200 bundle.js:6534:8
10:05:14.298 "sockjs-client:browser:xhr " "finish" " +0ms" 200 "{"websocket":true,"origins":["*:*"],"cookie_needed":false,"entropy":1483166460}" bundle.js:6534:8
10:05:14.298 "sockjs-client:info-receiver " "finish" " +0ms" Object { websocket: true, origins: Array[1], cookie_needed: false, entropy: 1483166460 } 353 bundle.js:6534:8
10:05:14.299 "sockjs-client:info-receiver " "_cleanup" " +1ms" bundle.js:6534:8
10:05:14.300 "sockjs-client:main " "_receiveInfo" " +1ms" 353 bundle.js:6534:8
10:05:14.300 "sockjs-client:main " "info" " +0ms" Object { websocket: true, origins: Array[1], cookie_needed: false, entropy: 1483166460, nullOrigin: false, sameOrigin: false, sameScheme: true } bundle.js:6534:8
10:05:14.301 "sockjs-client:websocket " "enabled" " +1ms" bundle.js:6534:8
10:05:14.302 "sockjs-client:utils:transport " "enabled" " +0ms" "websocket" bundle.js:6534:8
10:05:14.302 "sockjs-client:utils:transport " "enabled" " +1ms" "xhr-streaming" bundle.js:6534:8
10:05:14.302 "sockjs-client:utils:transport " "disabled" " +0ms" "xdr-streaming" bundle.js:6534:8
10:05:14.302 "sockjs-client:utils:transport " "enabled" " +0ms" "eventsource" bundle.js:6534:8
10:05:14.303 "sockjs-client:utils:transport " "enabled" " +1ms" "iframe-eventsource" bundle.js:6534:8
10:05:14.303 "sockjs-client:utils:transport " "disabled" " +0ms" "htmlfile" bundle.js:6534:8
10:05:14.303 "sockjs-client:utils:transport " "enabled" " +0ms" "iframe-htmlfile" bundle.js:6534:8
10:05:14.304 "sockjs-client:utils:transport " "enabled" " +1ms" "xhr-polling" bundle.js:6534:8
10:05:14.304 "sockjs-client:utils:transport " "disabled" " +0ms" "xdr-polling" bundle.js:6534:8
10:05:14.304 "sockjs-client:utils:transport " "enabled" " +0ms" "iframe-xhr-polling" bundle.js:6534:8
10:05:14.305 "sockjs-client:utils:transport " "enabled" " +1ms" "jsonp-polling" bundle.js:6534:8
10:05:14.305 "sockjs-client:main " "8 enabled transports" " +0ms" bundle.js:6534:8
10:05:14.305 "sockjs-client:main " "attempt" " +0ms" "websocket" bundle.js:6534:8
10:05:14.306 "sockjs-client:main " "using timeout" " +1ms" 2824 bundle.js:6534:8
10:05:14.306 "sockjs-client:main " "transport url" " +0ms" "http://localhost:12540/websocket/904/cnxo0ou0" bundle.js:6534:8
10:05:14.306 "sockjs-client:websocket " "enabled" " +0ms" bundle.js:6534:8
10:05:14.306 "sockjs-client:websocket " "constructor" " +0ms" "http://localhost:12540/websocket/904/cnxo0ou0" bundle.js:6534:8
10:05:14.307 "sockjs-client:browser:xhr " "cleanup" " +1ms" bundle.js:6534:8
10:05:14.369 GET http://localhost:12540/websocket/904/cnxo0ou0/websocket [HTTP/1.1 101 Switching Protocols 7ms]
10:05:14.418 "sockjs-client:websocket " "message event" " +111ms" "o" bundle.js:6534:8
10:05:14.419 "sockjs-client:main " "_transportMessage" " +1ms" "o" bundle.js:6534:8
10:05:14.419 "sockjs-client:main " "_open" " +0ms" "websocket" 0 bundle.js:6534:8
10:05:14.420 "sockjs-client:main " "connected" " +1ms" "websocket" bundle.js:6534:8
10:05:39.323 "sockjs-client:websocket " "message event" " +25s" "h" bundle.js:6534:8
10:05:39.324 "sockjs-client:main " "_transportMessage" " +1ms" "h" bundle.js:6534:8
10:05:39.324 "sockjs-client:main " "heartbeat" " +0ms" "websocket" bundle.js:6534:8

Request headers

GET /websocket/info?t=1429603513946 HTTP/1.1
Host: localhost:12540
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/index.html
Origin: http://localhost:8080
Connection: keep-alive

Response headers

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
access-control-allow-origin: http://localhost:8080
Vary: Origin
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Type: application/json; charset=UTF-8
Date: Tue, 21 Apr 2015 08:05:14 GMT
Connection: keep-alive
Transfer-Encoding: chunked

@brycekahle
Copy link
Contributor

@3rd-Eden Are you saying that Access-Control-Allow-Origin should be null whenever Origin is null?

@brycekahle
Copy link
Contributor

It seems this behavior was intentional (see b2081aa). Was @majek mistaken?

@3rd-Eden
Copy link

3rd-Eden commented May 6, 2015

@brycekahle Yes, it should respond with null. I think he was mistaken as it clearly breaks the CORS specification as * origins can never be used for credential requests. If the fix was to support PhoneCrap then the uses should be advised to whitelist their domains as this will cause a correct Origin header to be set.

novoselt added a commit to novoselt/sockjs-tornado that referenced this issue Jun 22, 2015
@novoselt
Do not reply with Allow-Origin '*' for null Origin
6c745ee 
Otherwise local files do not work because of CORS issues, see sockjs/sockjs-node#177
@novoselt novoselt mentioned this issue Jun 22, 2015
Merged
@g-p-g g-p-g mentioned this issue Aug 22, 2015
Open
@herzaso herzaso mentioned this issue Oct 13, 2015
Open
@ivan-kleshnin
Copy link

Any news why this will be released as 0.3.16?

@ivan-kleshnin ivan-kleshnin mentioned this issue Dec 21, 2015
Closed
paulhovey added a commit to paulhovey/sockjs-go that referenced this issue Dec 23, 2015
@paulhovey
fix cors issue - when origin is null, cors should return null origin. s…
260501f 
…ockjs/sockjs-node#177
@paulhovey paulhovey mentioned this issue Dec 23, 2015
Merged
@brycekahle
Copy link
Contributor

@ivan-kleshnin I just got back from holiday. I will do a release this week and ping you when it happens.

@brycekahle brycekahle mentioned this issue Jan 5, 2016
Closed
@KyleAMathews
Copy link

@brycekahle hey, has this been released? CORS in webpack-dev-server is broken right now webpack/webpack-dev-server#277

@brycekahle
Copy link
Contributor

@KyleAMathews not yet, sorry. I'll do my best to get it out this evening.

@KyleAMathews
Copy link

💯
On Mon, Feb 8, 2016 at 4:05 PM Bryce Kahle notifications@github.com wrote:

@KyleAMathews https://github.com/KyleAMathews not yet, sorry. I'll do
my best to get it out this evening.


Reply to this email directly or view it on GitHub
#177 (comment).

@brycekahle
Copy link
Contributor

@KyleAMathews sorry I haven't released this yet. Work has been crazy because we just launched a product.

@garrettmaring
Copy link

Update? 🤓

@genffy
Copy link

genffy commented Mar 21, 2016

may this condition still in sockjs-client v1.0.3

@brycekahle
Copy link
Contributor

@ivan-kleshnin @KyleAMathews @garrettmaring @genffy I just published sockjs-node 0.3.16. Sorry about the major delay.

@garrettmaring
Copy link

@brycekahle Is this confirmed to be working? Which commit could I take a look at (only saw README update one)?

@brycekahle
Copy link
Contributor

@garrettmaring 7c8bfd2

@brycekahle brycekahle mentioned this issue Apr 30, 2016
Closed
@ghost ghost mentioned this issue Apr 6, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@3rd-Eden @KyleAMathews @brycekahle @lpinca @genffy @ivan-kleshnin @DavidBM @garrettmaring and others