IMHO, I suggest ignoring the text mode when the regular mode is used and the text mode is `*`. This change won't break the existing configuration.
> Therefore, I think text mode and regular mode should be mutually exclusive, > and text mode should not have a default value of "*". This change will be a break change as we can use both text mode and regular mode now and it can work well if the text mode isn't `*`. If we make a break change to solve the problem, I am afraid we can't backport it to LTS version. Zeping Bai <bzp2...@apache.org> 于2022年9月20日周二 18:02写道: > > *Background:* > Currently, APISIX has a cors plugin to address browser cross-domain issues, > which will handle browser requests and dynamically add allow headers. > It contains an allow_origins option for handling client sources, which > allows > both allow_origins (hereafter referred to as text mode) and > allow_origins_by_regex (hereafter referred to as regular mode), but they are > now not mutually exclusive, they now use logic that first checks using text > mode > and returns it directly if the match is successful, and then matches regular > mode if it fails so in effect regular mode is a fallback option for text > mode. > > *Problem:* > When we want to use regular mode only without giving preference to text > mode, > you will find that we cannot achieve it through the normal way. > When you use only allow_origins_by_regex without setting the allow_origins > configuration, APISIX automatically adds the default value "*" to > allow_origins, so > it directly bypasses the regular pattern configuration you defined, which > is obviously > wrong and dangerous. > If you must configure it this way, you can only configure an address for > text mode > that can never be accessed, i.e. ensure that text mode never matches. This > is neither > elegant nor secure. > > Therefore, I think text mode and regular mode should be mutually exclusive, > and > text mode should not have a default value of "*". > > > What do you think? > > Best regards! > Zeping Bai @bzp2010
