Oathkeeper duplicates CORS headers

[kamilkloch]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

We are using oathkeeper and kratos services.
When oathkeeper CORS config looks as follows:

cors:
  enabled: true
  allowed_origins:
    - "https://ui-admin.our-company.com"

then the request

curl -v 'https://webapi-user.our-company.com/api/v1/datafeed/rollingbar?name=ADAUSD' -H 'origin: https://ui-admin.our-company.com'

produces the following output in the headers:

access-control-allow-credentials: true
access-control-allow-credentials: true
access-control-allow-origin: https://ui-admin.our-company.com
access-control-allow-origin: https://ui-admin.our-company.com
vary: Origin
vary: Origin

oathkeeper appends duplicate CORS headers to the response (in addition to CORS headers added by the underlying services).

This is quite problematic, as it breaks CORS requests issued by the browser: https://crashtest-security.com/multiple-values-access-control-allow-origin/
"While the header does support multiple origins, browsers usually do not. "

Reproducing the bug

curl -v 'https://webapi-user.our-company.com/api/v1/datafeed/rollingbar?name=ADAUSD' -H 'origin: https://ui-admin.our-company.com'

Relevant log output

No response

Relevant configuration

cors:
  enabled: true
  allowed_origins:
    - "https://ui-admin.our-company.com"

Version

0.40.2

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

[civilizeddev]

I have experienced the same problem.

oathkeeper appends duplicate CORS headers to the response (in addition to CORS headers added by the underlying services).

[disambiguationuk]

This could be avoided if we could strip upstream headers, however there doesn't seem like there's a supported way to do this.

[aeneasr]

Wouldn't the easier solution be to turn off the cors headers on the upstream, if oathkeeper handles them anyways, or vice versa (turn of in oathkeeper, turn on in upstream)?

[vladyslav2]

@aeneasr

turn of in oathkeeper, turn on in upstream)

this way you will not have correct cors if client send request with incorrect or expired session

[ehblh]

Wouldn't the easier solution be to turn off the cors headers on the upstream, if oathkeeper handles them anyways, or vice versa (turn of in oathkeeper, turn on in upstream)?

We turned off CORS header for oathkeeper, but the error handler gets CORS error ...

Could we enable oathkeeper to configure CORS headers only for error handlers?

@aeneasr

[akkie]

As a workaround or final solution (based how you see it), you could disable CORS for oathkeeper and handle CORS by a proxy as @aeneasr suggested. Based on your proxy implementation, you could then remove the upstream headers in the proxy itself for these upstream services that do not support the disabling of CORS. Nginx allows that with proxy_hide_header as example. I know caddy supports it also, maybe others as well.