Rework access control origin configuration

2020-03-05 08:18:04 +01:00 · 2020-03-05 08:18:04 +01:00 · 082fb166a2
commit 082fb166a2
parent fb51ebcba6
14 changed files with 203 additions and 122 deletions
--- a/docs/content/middlewares/headers.md
+++ b/docs/content/middlewares/headers.md
@ -197,7 +197,7 @@ This functionality allows for more advanced security features to quickly be set.
 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
@ -213,14 +213,16 @@ spec:
      - "GET"
      - "OPTIONS"
      - "PUT"
-    accessControlAllowOrigin: "origin-list-or-null"
+    accessControlAllowOriginList:
+      - "https://foo.bar.org"
+      - "https://example.org"
    accessControlMaxAge: 100
    addVaryHeader: "true"
 ```

 ```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
- "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+- "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
 - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
 - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
@ -228,7 +230,7 @@ spec:
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
-  "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin": "origin-list-or-null",
+  "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist": "https://foo.bar.org,https://example.org",
  "traefik.http.middlewares.testheader.headers.accesscontrolmaxage": "100",
  "traefik.http.middlewares.testheader.headers.addvaryheader": "true"
 }
@ -237,7 +239,7 @@ spec:
 ```yaml tab="Rancher"
 labels:
  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
@ -246,7 +248,7 @@ labels:
 [http.middlewares]
  [http.middlewares.testHeader.headers]
    accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
-    accessControlAllowOrigin = "origin-list-or-null"
+    accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
    accessControlMaxAge = 100
    addVaryHeader = true
 ```
@ -260,7 +262,9 @@ http:
          - GET
          - OPTIONS
          - PUT
-        accessControlAllowOrigin: "origin-list-or-null"
+        accessControlAllowOriginList:
+          - https://foo.bar.org
+          - https://example.org
        accessControlMaxAge: 100
        addVaryHeader: true
 ```
@ -295,14 +299,22 @@ The `accessControlAllowHeaders` indicates which header field names can be used a

 The  `accessControlAllowMethods` indicates which methods can be used during requests.

-### `accessControlAllowOrigin`
+### `accessControlAllowOriginList`

-The `accessControlAllowOrigin` indicates whether a resource can be shared by returning different values.
-The three options for this value are:
+The `accessControlAllowOriginList` indicates whether a resource can be shared by returning different values.

- `origin-list-or-null`
- `*`
- `null`
+A wildcard origin `*` can also be configured, and will match all requests.
+If this value is set by a backend server, it will be overwritten by Traefik
+
+This value can contains a list of allowed origins.
+
+More information including how to use the settings can be found on:
+
+- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
+- [w3](https://www.w3.org/TR/cors/#access-control-allow-origin-response-header)
+- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
+
+Traefik no longer supports the null value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).

 ### `accessControlExposeHeaders`

@ -314,7 +326,7 @@ The `accessControlMaxAge` indicates how long a preflight request can be cached.

 ### `addVaryHeader`

-The `addVaryHeader` is used in conjunction with `accessControlAllowOrigin` to determine whether the vary header should be added or modified to demonstrate that server responses can differ beased on the value of the origin header.
+The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the vary header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.

 ### `allowedHosts`