Comments (5)
PR incoming.
I think this is the correct change to make, even if it's impactful to users when upgrading, as many users may not be aware of the default behaviour which circumvents the browser's security model. For those who were relying on this change, it should be fairly clear to them what has broken (ie: CORS) and a release note / changelog can call this out explicitly.
Also given that the project is still an alpha, early adopters should expect the occasional bump in the name of security, stability and performance ;)
from grpc-web.
I resolved the issue with the Origin Option like this
// Wrap grpc server to grpc-web server
wrappedServer := grpcweb.WrapServer(s, grpcweb.WithOriginFunc(func(origin string) bool {
// disable all origins, this is all done by the proxy before these servers
return false
}))
is there any better solution?
from grpc-web.
@MarcusLongmuir - IMHO the approach should be restrictive by default when it comes to security features such as CORS; would you welcome a patch that defaults to denying all CORS requests (from remote origins) and adds a custom Option helper: grpcweb.WithAllowAllOrigins()
from grpc-web.
@jonnyreeves: I agree. Would definitely welcome a patch, but this is likely to be a breaking change and it will need to be communicated.
At the very least (and only just palatable), we could change the function name to surface the change as a compilation error to anyone depending on master
of this repo.
I think we need to fix up the release process as per #43 with this in mind.
Thoughts, @mwitkow?
from grpc-web.
Only took a year and a half, but #158 has now landed which closes this issue :)
from grpc-web.
Related Issues (20)
- Implement the http.RoundTripper interface? HOT 2
- Detach IsGrpcWebRequest and IsGrpcWebSocketRequest from WrappedGrpcServer HOT 2
- grpcwebproxy websocket connection fails with specific origin HOT 2
- QUIC and HTTP3 support HOT 1
- Status codes and error messages are displayed incorrectly on the angular client. HOT 4
- Golang Grpc Web Server UnaryInterceptor is not triggered by grpc-web Client HOT 1
- Get client stream method return HOT 3
- ReferenceError: self is not defined when trying to call a grpc-web function from a CLI/server application HOT 3
- grpcwebproxy - Help Proxying existing GRPC service HOT 1
- Add support of bufbuild/protobuf-es HOT 3
- Changing route to the root of the host HOT 1
- Lack of grpc Trailers-Only support in the wrapHandler function
- Is there any way to use Nginx or Envoy with this project? HOT 1
- Question: What is the status of `go/grpcwebproxy` project? HOT 3
- grpc-web: Importing as ESModule in Node HOT 1
- grpcwebproxy `--allowed_headers` param is case-sensitive for WebSocket
- Grpc client unexpected behavior HOT 1
- Project status
- grpc-web. `Response closed without headers` but no way to get the status code.
- grpcwebproxy: 400 bad request on websocket connection attempts HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grpc-web.