CORS Issue: Custom Header Being Blocked by IC Boundary Node

Gekctek · January 14, 2025, 11:05pm

I’m running a canister that serves XRPC endpoints. I’m trying to allow cross-origin requests that include a custom header atproto-accept-labelers.

My canister sets these CORS headers:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: *

However, the OPTIONS preflight response from the boundary node shows more restrictive headers:

access-control-allow-headers: user-agent,dnt,if-none-match,if-modified-since,cache-control,content-type,range,cookie,x-requested-with,x-ic-canister-id

This is causing browsers to block requests with the custom header. Is there a way to override this?

For more context, I am trying to get https://bsky.app to send a request to my canister but it needs to include the atproto-accept-labelers when its connecting to my server
Any help would be great

skilesare · January 15, 2025, 12:29am

Oh yes…if you need custom headers you may need to run a custom boundary board like we did with propyl.io.

Gekctek · January 15, 2025, 12:51am

Maybe in theory when the boundary nodes are decentralized, each boundary node could have different settings?
This is kind of a big deal this doesn’t work for my project

Im not a big CORS guy, any thoughts on why the headers are limited but other CORS settings are *?

skilesare · January 15, 2025, 3:11am

I’m not sure. I had issues with partial media files back in the day. I think this has been resolved. I know you can mess with headers in asset canisters using the json5 file.

See discussion: Boundary node http response headers - #72 by faraz.shaikh

This is what we used but it was last updated 3 years ago:

This may be the new one:

Maybe some clues as to what happens here: Code search results · GitHub

Gekctek · January 15, 2025, 5:00am

tagging @rbirkner
Saw you were in the other boundary node threads

Gekctek · January 15, 2025, 5:04am

github.com/dfinity/ic-gateway

src/routing/middleware/cors.rs

47b64a062


      
          CorsLayer::new()
              .allow_origin(Any)
              .allow_methods(methods.to_vec())
              .expose_headers([
                  ACCEPT_RANGES,
                  CONTENT_LENGTH,
                  CONTENT_RANGE,
                  X_REQUEST_ID,
                  X_IC_CANISTER_ID,
              ])
              .allow_headers([
                  USER_AGENT,
                  DNT,
                  IF_NONE_MATCH,
                  IF_MODIFIED_SINCE,
                  CACHE_CONTROL,
                  CONTENT_TYPE,
                  RANGE,
                  COOKIE,
                  X_REQUESTED_WITH,
                  X_IC_CANISTER_ID,

Seems like it

rbirkner · January 17, 2025, 4:49pm

Hey @Gekctek

Your observations are 100% correct. The HTTP gateway within the boundary nodes overrides whatever CORS headers you set in your canister. In particular, OPTIONS requests are directly handled by the HTTP gateway and never make it to the canister. Changing that would mean significantly increased latency for all OPTIONS requests.

I can check what the possibilities are and will report back!

Gekctek · January 17, 2025, 5:54pm

That would be wonderful, thank you

Gekctek · January 31, 2025, 9:56pm

@rbirkner Any update/additional thoughts?

Topic		Replies	Views
Boundary node http response headers Developers	78	4304	February 22, 2024
Range headers being stripped out Developers	34	1114	September 7, 2024
Can't host podcasts from canisters Developers	9	649	February 22, 2024
CORS problem on local and main Developers	11	841	November 9, 2023
CORS Policy on ic0.app General	4	822	February 3, 2022

CORS Issue: Custom Header Being Blocked by IC Boundary Node

Related topics