I have installed Istio and configured the ingress gateway with CorsPolicy. For the preflight/options request, the access-control-allow response headers are returned only when the origin header matches. Otherwise Istio returns wrong response headers.
For the actual request, Istio returns the access-control-allow-origin header as the same value as the origin header which was passed in the request.
Is this the expected behavior? How to prevent call from origins which are not accepted?
Similar issue here: https://github.com/istio/istio/issues/9783
Istio version: 1.17.2 and 1.20.3
I have installed standard Istio ingress gateway using istioctl
istioctl install --set profile=demo -y
I have configured istio using the following config
Gateway:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-ext-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- httpbin.org
VirtualService
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin-ext-vs
spec:
hosts:
- httpbin.org
gateways:
- httpbin-ext-gateway
http:
- match:
- gateways:
- httpbin-ext-gateway
port: 80
uri:
prefix: /status
route:
- destination:
host: httpbin.org
port:
number: 80
corsPolicy:
allowOrigins:
- exact: https://example.com
allowMethods:
- POST
- GET
allowCredentials: false
allowHeaders:
- X-Foo-Bar
maxAge: "1m"
Now the following curl commands shows the issue
Options - Origin match: curl -i -X OPTIONS -H "Host: httpbin.org" -H "Origin: https://example.com" -H "Access-Control-Request-Method: GET" http://10.100.41.221/status/418
HTTP/1.1 200 OK
access-control-allow-origin: https://example.com
access-control-allow-methods: POST,GET
access-control-allow-headers: X-Foo-Bar
access-control-max-age: 60
date: Tue, 20 Feb 2024 09:36:24 GMT
server: istio-envoy
content-length: 0
Options - Origin DOES NOT match: curl -i -X OPTIONS -H "Host: httpbin.org" -H "Origin: https://example1.com" -H "Access-Control-Request-Method: GET" http://10.100.41.221/status/418
HTTP/1.1 200 OK
date: Tue, 20 Feb 2024 09:36:57 GMT
content-type: text/html; charset=utf-8
content-length: 0
server: istio-envoy
allow: OPTIONS, POST, PUT, HEAD, PATCH, DELETE, GET, TRACE
access-control-allow-origin: https://example1.com
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
access-control-max-age: 3600
x-envoy-upstream-service-time: 433
Actual request - Origin match: curl -i -H "Host: httpbin.org" -H "Origin: https://example.com" http://10.100.41.221/status/418
HTTP/1.1 418 Unknown
date: Tue, 20 Feb 2024 09:49:43 GMT
content-length: 135
server: istio-envoy
x-more-info: http://tools.ietf.org/html/rfc2324
access-control-allow-origin: https://example.com
access-control-allow-credentials: true
x-envoy-upstream-service-time: 598
Actual request - Origin DOES NOT match: curl -i -H "Host: httpbin.org" -H "Origin: https://example1.com" http://10.100.41.221/status/418
HTTP/1.1 418 Unknown
date: Tue, 20 Feb 2024 09:50:08 GMT
content-length: 135
server: istio-envoy
x-more-info: http://tools.ietf.org/html/rfc2324
access-control-allow-origin: https://example1.com
access-control-allow-credentials: true
x-envoy-upstream-service-time: 439