I set my CORS header for Firebase Storage with the following cors.json and gsutil
[
{
"origin": ["*"],
"method": ["GET", "OPTIONS"],
"responseHeader": ["Range", "Content-Type"],
"maxAgeSeconds": 3600
}
]
But I still get this error:
MLHttpRequest cannot load http://url_to.csv. Request header field
Range is not allowed by Access-Control-Allow-Headers in preflight
response.
I also tried replacing Range with Content-Range but it didn't have any effect.
Related
I am using ocelot gateway.
Here is the example configuration
{
"DownstreamPathTemplate": "/ipgeo?apiKey={key}&ip={ip}",
"DownstreamScheme": "http",
"DownstreamHostAndPorts": [
{
"Host": "api.ipgeolocation.io",
"Port": 80
}
],
"UpstreamHttpMethod": ["GET"],
"UpstreamPathTemplate": "/GLI/secondary?apiKey={key}&ip={ip}"
}
As you can see, there are two query params. When I send a request using postman:
http://localhost:5000/GLI/secondary?apiKey=aaa&ip=8.8.8.8
OCELOT get duplicate query params and generate a downstream url like this:
http://api.ipgeolocation.io/ipgeo?apiKey=aaa&ip=8.8.8.8&apiKey=aaa&ip=8.8.8.8
Console screen:
info: Ocelot.Requester.Middleware.HttpRequesterMiddleware[0]
requestId: 0HMFNFVDSDQH9:0000000A, previousRequestId: no previous request id, message: 301 (Moved Permanently) status code, request uri: http://api.ipgeolocation.io/ipgeo?apiKey=aaa&ip=8.8.8.8&apiKey=aaa&ip=8.8.8.8
How can I change this?
Same problem,
For me works use this syntax, basically I have removed the "?" symbol in the UpstreamPathTemplate:
"DownstreamPathTemplate": "/GLI/secondary?{everything}"
"UpstreamPathTemplate": "/GLI/secondary{everything}"
You can use
"DownstreamPathTemplate": "/ipgeo?{everything}"
"UpstreamPathTemplate": "/GLI/secondary?{everything}"
OR
"UpstreamPathTemplate": "/GLI/secondary/{everything}"
We have tried to get the error logs in JSON format as we can do for access logs. But we are getting error there.
Can we not format the error logs we are getting from NGINX server to JSON format as we can do for access logs?
As described here
http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
json log format is available in nginx
log_format logger-json escape=json '{
"source": "nginx",
"time": $msec,
"resp_body_size": $body_bytes_sent,
"host": "$http_host",
"address": "$remote_addr",
"request_length": $request_length,
"method": "$request_method",
"uri": "$request_uri",
"status": $status,
"user_agent": "$http_user_agent",
"resp_time": $request_time,
"upstream_addr": "$upstream_addr"
}';
At the moment is not possible to format the error logs as JSON.
I have a SPA with the following setup:
Frontend: React deployed using Firebase Hosting
Backend: GraphQL API written in Django deployed on Cloud Run
Everything works locally but when I deploy the app and try to make requests, I get a CORS error due to preflight missing allow origin header:
Access to fetch at 'https://cloud-run-api-hash.a.run.app/graphql/' from origin 'https://project-id.web.app' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Using django-cors-headers, I have already added the Firebase domain to the CORS_ORIGIN_WHITELIST in my Django settings.
My firebase.json looks like this:
{
"hosting": {
"public": "build",
"ignore": [
"firebase.json",
"**/.*",
"**/node_modules/**"
],
"rewrites": [
{
"source": "/authenticated/**",
"run": {
"serviceId": "cloud-run-serviceID",
"region": "us-central1"
}
},
{
"source": "**",
"destination": "/index.html"
}
],
"headers": [ {
"source": "**/*.#(eot|otf|ttf|ttc|woff|font.css)",
"headers": [ {
"key": "Access-Control-Allow-Origin",
"value": "*"
} ]
} ]
}
}
My intention is to trigger the cloud run container after the user is authenticated and is routed to https://project-id.web.app/authenticated, but I'm not seeing any Cloud Run logs after I login to the app. Furthermore, when I try to send any HTTP requests I get the CORS error shown above. Not sure where went wrong here because I strictly followed the Cloud Run/Firebase Hosting documentation. Any advice is greatly appreciated.
It turns out that the problem was with django-cors-headers. I put the allowed domains in CORS_ALLOWED_ORIGINS instead of CORS_ORIGIN_WHITELIST and it worked. According to the documentation, this setting was renamed. I still unsure why CORS_ORIGIN_WHITELIST doesn't work on Cloud Run though... it should work as an alias.
From Firebase docs, we get that it's supposed to set Cache-Control: private as default.
Firebase Hosting- Manage cache behavior
I generate my robots.txt on the fly, hence it might change from one request to the next. Because of that, I don't want it cached by the CDN. But to my surprise, I'm getting CDN hits for robots.txt.
See:
I do the same with ads.txt and sitemap.xml. The same is happening with ads.txt, but not with sitemap.xml.
Maybe it's something related to .txt files. Could this be a bug?
Do I have to explicitly set the Cache-Control: private?
You can configure that specific file's cache-control header through the firebase.json file like this:
{
"hosting": [
{
...,
"headers": [
{
"source": "robots.txt",
"headers": [
{
"key": "Cache-Control",
"value": "no-cache"
}
]
}
]
}
]
}
More info in the docs here.
I need to use couple of iframe for a page hosted with firebase, but its giving me X-Frame-Options error, one of the iframe is for gallery hosted on picasa, and anohter ifrmae for contact form(because i couldnt sent email via firebase :()
here is error
Refused to display 'https://get.google.com/albumarchive/pwa/11111/album/1111?source=pwa#slideshow/1111' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
jquery.min.js:2 Uncaught DOMException: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "https://demodomain.com" from accessing a cross-origin frame.
i did this with firebase.json but didnt worked
"headers": [
{
"source": "**/*",
"headers": [
{"key": "X-Content-Type-Options", "value": "nosniff"},
{"key": "X-Frame-Options", "value": "ALLOW"},
{"key": "X-UA-Compatible", "value": "ie=edge"},
{"key": "X-XSS-Protection", "value": "1; mode=block"}
]
}
]
you have the right idea you're just setting the wrong value. ALLOW is not an acceptable value for the X-Frame-Options header. You can set the ALLOW-FROM value and then specify which uri you want to allow to be able to embed. Check out some more documentation below.
FIX:
"headers": [{
"source": "**/*",
"headers": [
{"key": "X-Content-Type-Options", "value": "nosniff"},
{"key": "X-Frame-Options", "value": "ALLOW-FROM https://get.google.com"},
{"key": "X-UA-Compatible", "value": "ie=edge"},
{"key": "X-XSS-Protection", "value": "1; mode=block"}
]
}]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options