More than one domain for CORS

miguel-abillion · August 23, 2022, 3:05am

Hi! We’re having an issue while using CORS, we’re on Redwood 2.2.0, and using Netlify for hosting. This behaviour is only happening in production, when following [this guide] (Cross-Origin Resource Sharing | RedwoodJS Docs) to test it locally it works fine.

Previously, we only needed to make CORS requests from a specific URL. With this configuration:

// api/src/functions/graphql.ts
// ...
export const handler = createGraphQLHandler({
  // ...
  cors: {
    origin: 'https://internal.abillion.com',
  },

It works fine, here are the relevant response headers of the preflight request to /graphql from https://internal.abillion.com:

access-control-allow-credentials: true
access-control-allow-headers: authorization,content-type, authorization,content-type
access-control-allow-methods: POST, POST
access-control-allow-origin: https://internal.abillion.com

However, when we try to change that to an array:

// api/src/functions/graphql.ts
// ...
  cors: {
    origin: ['https://internal.abillion.com', 'https://someotherdomain.com'],
  },

We get null in the allowed origin:

access-control-allow-credentials: true
access-control-allow-headers: authorization,content-type, authorization,content-type
access-control-allow-methods: POST, POST
access-control-allow-origin: null

And when we try with “*”:

// api/src/functions/graphql.ts
// ...
  cors: {
    origin: ['https://internal.abillion.com', 'https://someotherdomain.com'],
  },

We strangely get the same domain twice in the allowed origin, which gives a CORS error as well:

access-control-allow-credentials: true
access-control-allow-headers: authorization,content-type, authorization,content-type
access-control-allow-methods: POST, POST
access-control-allow-origin: https://internal.abillion.com, https://internal.abillion.com

We don’t have any other CORS configuration, be it for authentication, or on Netlify (including netlify.toml).

Has anybody else faced this issue? Any pointers how we could fix it? Thanks a lot!

dthyresson · September 8, 2022, 4:15pm

Hi @miguel-abillion and thanks for reporting this issue.

I documented it in [Bug?]: Netlify Production CORS Issue with Multi Value Headers with multiple origins · Issue #6279 · redwoodjs/redwood · GitHub and have been working to reproduce the case, but so far I haven’t had luck.

I am still trying a few scenarios, but I was curious if you are still seeing this issue with either version 2.2.4 or the latest 3.0.0-rc candidate?

miguel-abillion · September 14, 2022, 7:37am

Hi @dthyresson, we’re going to update to 2.2.4 and report back on whether it fixes the issue. Thanks!

miguel-abillion · September 15, 2022, 7:54am

Hi again @dthyresson, we upgraded to 2.2.4 and we have still the same issue. We’re going to try hosting in a different provider than Netlify to see if that fixes the issue.

miguel-abillion · September 19, 2022, 5:49am

Hello again @dthyresson and others reading. After updating to Redwood 3.0.0, CORS with more than one domain started working. I’m going to mark this as the solution and close the thread.

dthyresson · September 19, 2022, 2:38pm

Thanks @miguel-abillion for the update and glad to hear it is working properly. I’ve closed the GH issue.