[metrics-bugs] #22062 [Metrics/Onionoo]: Bad requests do not add the Access-Control-Allow-Origin header
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Nov 1 13:50:10 UTC 2019
#22062: Bad requests do not add the Access-Control-Allow-Origin header
-----------------------------+------------------------------
Reporter: cypherpunks | Owner: metrics-team
Type: defect | Status: needs_review
Priority: Medium | Milestone:
Component: Metrics/Onionoo | Version:
Severity: Normal | Resolution:
Keywords: metrics-2018 | Actual Points:
Parent ID: | Points:
Reviewer: irl | Sponsor:
-----------------------------+------------------------------
Changes (by karsten):
* status: new => needs_review
* reviewer: => irl
Comment:
Okay, I spent way more time on this than I should have. Here's what I
found out:
We can indeed set the `Access-Control-Allow-Origin *` header at the top of
`doGet`:
{{{
diff --git
a/src/main/java/org/torproject/metrics/onionoo/server/ResourceServlet.java
b/src/main/java/org/torproject/metrics/onionoo/server/ResourceServlet.java
index 0fee44b..b46c465 100644
---
a/src/main/java/org/torproject/metrics/onionoo/server/ResourceServlet.java
+++
b/src/main/java/org/torproject/metrics/onionoo/server/ResourceServlet.java
@@ -96,6 +96,8 @@ public class ResourceServlet extends HttpServlet {
HttpServletResponseWrapper response, long receivedRequestMillis)
throws IOException {
+ response.setHeader("Access-Control-Allow-Origin", "*");
+
if (this.maintenanceMode) {
response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE);
return;
@@ -408,7 +410,6 @@ public class ResourceServlet extends HttpServlet {
((CACHE_MAX_TIME - indexAgeMillis)
/ CACHE_INTERVAL) * CACHE_INTERVAL);
- response.setHeader("Access-Control-Allow-Origin", "*");
response.setContentType("application/json");
response.setCharacterEncoding("utf-8");
response.setHeader("Cache-Control", "public, max-age="
}}}
The effect is that all requests being handled by this servlet class will
have that header, regardless of response code. This includes URLs starting
with `/summary`, `/details`, `/bandwidth`, `/weights`, `/clients`, and
`/uptime`. It does not, however, apply for other resources including typos
of those URLs.
The same does not work for cache headers. These are overwritten when we
call `sendError()`, and I don't see an easy way to prevent that from
happening. Maybe a filter or another handler or whatever Jetty has for
such cases. Unfortunately, I don't know Jetty well enough to configure
this, and I lack the time to find out.
My suggestion would be that we move the `Access-Control-Allow-Origin *`
header at the top of `doGet` as seen in the diff above and leave caching
unchanged. How does this sound?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22062#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the metrics-bugs
mailing list