diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index 86a6e28e8..add5c5595 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -348,10 +348,10 @@ CORS can be controlled with the following annotations: - Example: `nginx.ingress.kubernetes.io/cors-expose-headers: "*, X-CustomResponseHeader"` * `nginx.ingress.kubernetes.io/cors-allow-origin` - controls which Origin(s) are allowed for CORS. - This is a multi-valued field, separated by ',', each value should obey the following format: `http(s)://origin-site.com` or `http(s)://origin-site.com:port` + controls what's the accepted Origin for CORS. + This is a single field value, with the following format: `http(s)://origin-site.com` or `http(s)://origin-site.com:port` - Default: `*` - - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://origin-site.com:4443, https://origin-site-2.com"` + - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://origin-site.com:4443"` * `nginx.ingress.kubernetes.io/cors-allow-credentials` controls if credentials can be passed during CORS operations. diff --git a/internal/ingress/annotations/cors/main.go b/internal/ingress/annotations/cors/main.go index 716d624fa..2f1a0a37b 100644 --- a/internal/ingress/annotations/cors/main.go +++ b/internal/ingress/annotations/cors/main.go @@ -18,7 +18,6 @@ package cors import ( "regexp" - "strings" networking "k8s.io/api/networking/v1beta1" @@ -114,14 +113,7 @@ func (c cors) Parse(ing *networking.Ingress) (interface{}, error) { } config.CorsAllowOrigin, err = parser.GetStringAnnotation("cors-allow-origin", ing) - if err == nil { - for _, origin := range strings.Split(config.CorsAllowOrigin, ",") { - if !corsOriginRegex.MatchString(strings.TrimSpace(origin)) { - config.CorsAllowOrigin = "*" - break - } - } - } else { + if err != nil || !corsOriginRegex.MatchString(config.CorsAllowOrigin) { config.CorsAllowOrigin = "*" } diff --git a/internal/ingress/annotations/cors/main_test.go b/internal/ingress/annotations/cors/main_test.go index 5715925ed..6f75ce6a7 100644 --- a/internal/ingress/annotations/cors/main_test.go +++ b/internal/ingress/annotations/cors/main_test.go @@ -72,7 +72,7 @@ func TestIngressCorsConfigValid(t *testing.T) { data[parser.GetAnnotationWithPrefix("cors-allow-headers")] = "DNT,X-CustomHeader, Keep-Alive,User-Agent" data[parser.GetAnnotationWithPrefix("cors-allow-credentials")] = "false" data[parser.GetAnnotationWithPrefix("cors-allow-methods")] = "GET, PATCH" - data[parser.GetAnnotationWithPrefix("cors-allow-origin")] = "https://origin123.test.com:4443, https://origin456.test.com" + data[parser.GetAnnotationWithPrefix("cors-allow-origin")] = "https://origin123.test.com:4443" data[parser.GetAnnotationWithPrefix("cors-expose-headers")] = "*, X-CustomResponseHeader" data[parser.GetAnnotationWithPrefix("cors-max-age")] = "600" ing.SetAnnotations(data) @@ -103,7 +103,7 @@ func TestIngressCorsConfigValid(t *testing.T) { t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("cors-allow-methods")], nginxCors.CorsAllowMethods) } - if nginxCors.CorsAllowOrigin != "https://origin123.test.com:4443, https://origin456.test.com" { + if nginxCors.CorsAllowOrigin != "https://origin123.test.com:4443" { t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("cors-allow-origin")], nginxCors.CorsAllowOrigin) } @@ -126,7 +126,7 @@ func TestIngressCorsConfigInvalid(t *testing.T) { data[parser.GetAnnotationWithPrefix("cors-allow-headers")] = "@alright, #ingress" data[parser.GetAnnotationWithPrefix("cors-allow-credentials")] = "no" data[parser.GetAnnotationWithPrefix("cors-allow-methods")] = "GET, PATCH, $nginx" - data[parser.GetAnnotationWithPrefix("cors-allow-origin")] = "https://origin.test.com, origin123.test.com:4443" + data[parser.GetAnnotationWithPrefix("cors-allow-origin")] = "origin123.test.com:4443" data[parser.GetAnnotationWithPrefix("cors-expose-headers")] = "@alright, #ingress" data[parser.GetAnnotationWithPrefix("cors-max-age")] = "abcd" ing.SetAnnotations(data) diff --git a/test/e2e/annotations/cors.go b/test/e2e/annotations/cors.go index 526739539..e4cdd32b4 100644 --- a/test/e2e/annotations/cors.go +++ b/test/e2e/annotations/cors.go @@ -121,22 +121,6 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) }) - ginkgo.It("should allow multiple origins for cors", func() { - host := "cors.foo.com" - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/enable-cors": "true", - "nginx.ingress.kubernetes.io/cors-allow-origin": "https://origin.cors.com:8080, https://origin2.cors.com", - } - - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "more_set_headers 'Access-Control-Allow-Origin: https://origin.cors.com:8080, https://origin2.cors.com';") - }) - }) - ginkgo.It("should allow headers for cors", func() { host := "cors.foo.com" annotations := map[string]string{