[jira] [Commented] (GUACAMOLE-1839) JSON auth should set 'Access-Control-Allow-Origin = *'

Mon, 31 Jul 2023 09:01:06 -0700 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17749255#comment-17749255
 ] 

Mike Jumper commented on GUACAMOLE-1839:
----------------------------------------

This is not a bug, nor something that can be configurable at the extension 
level. If you wish to add a non-default header to REST API responses, the 
method for doing so is configuring a reverse proxy providing SSL termination to 
add that header:

https://guacamole.apache.org/doc/gug/reverse-proxy.html

Both Nginx and the Apache web server provide mechanisms for adding headers to 
the responses of proxied services.

> JSON auth should set 'Access-Control-Allow-Origin = *'
> ------------------------------------------------------
>
>                 Key: GUACAMOLE-1839
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1839
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole-auth-json
>    Affects Versions: 1.5.2
>            Reporter: Kevin Rise
>            Priority: Major
>
> Setup:
>  * Guacamole/guacd: 1.5.2, Docker versions
>  * Browser: Chrome & Firefox (latest)
> I'm trying to use the JSON auth and running into a problem where after doing 
> the POST to '<guacamole>/api/tokens' the response (that contains the required 
> login token) is getting blocked due to CORS.  Everything works fine 
> otherwise, I can even see the log entry in Guacamole that the login was 
> successful.  But the browser is blocking the response due to CORS.
> I've got a javascript app (Vue if it matters) running in the browser making 
> the POST call.
> What I think should happen (and admitting I'm not an expert in CORS) is that 
> the response to the POST call should set the 'Access-Control-Allow-Origin = 
> *' header in the response to allow the browser to let my app see the response.
> I've tried a few simple tests, like using Chrome plugins to either 1) disable 
> CORS checks or 2) set the 'Access-Control-Allow-Origin = *' header in the 
> POST response, and both "fix" the problem.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to