> IMHO, I suggest ignoring the text mode when the regular mode is used and the text mode is `*`. This change won't break the existing configuration.
Yes, I think we can do that, and I will impose soft restrictions for text patterns and regular patterns instead of hard restrictions using jsonschema. They can still both be configured, but the behavior will be different from the original. > This change will be a break change as we can use both text mode and regular mode now and it can work well if the text mode isn't `*`. If we make a break change to solve the problem, I am afraid we can't backport it to the LTS version. Emmm I'm not sure how we should do it, in some perspective this issue is undoubtedly a bug and we need to have ways to fix it. Maybe we can't port it in LTS, but it should be added to the pending release of 3.0. Zexuan Luo <spacewan...@apache.org> 于2022年9月21日周三 10:03写道: > IMHO, I suggest ignoring the text mode when the regular mode is used > and the text mode is `*`. This change won't break the existing > configuration. > > > Therefore, I think text mode and regular mode should be mutually > exclusive, and > text mode should not have a default value of "*". > > This change will be a break change as we can use both text mode and > regular mode now and it can work well if the text mode isn't `*`. If > we make a break change to solve the problem, I am afraid we can't > backport it to LTS version. > > Zeping Bai <bzp2...@apache.org> 于2022年9月20日周二 18:02写道: > > > > *Background:* > > Currently, APISIX has a cors plugin to address browser cross-domain > issues, > > which will handle browser requests and dynamically add allow headers. > > It contains an allow_origins option for handling client sources, which > > allows > > both allow_origins (hereafter referred to as text mode) and > > allow_origins_by_regex (hereafter referred to as regular mode), but they > are > > now not mutually exclusive, they now use logic that first checks using > text > > mode > > and returns it directly if the match is successful, and then matches > regular > > mode if it fails so in effect regular mode is a fallback option for text > > mode. > > > > *Problem:* > > When we want to use regular mode only without giving preference to text > > mode, > > you will find that we cannot achieve it through the normal way. > > When you use only allow_origins_by_regex without setting the > allow_origins > > configuration, APISIX automatically adds the default value "*" to > > allow_origins, so > > it directly bypasses the regular pattern configuration you defined, which > > is obviously > > wrong and dangerous. > > If you must configure it this way, you can only configure an address for > > text mode > > that can never be accessed, i.e. ensure that text mode never matches. > This > > is neither > > elegant nor secure. > > > > Therefore, I think text mode and regular mode should be mutually > exclusive, > > and > > text mode should not have a default value of "*". > > > > > > What do you think? > > > > Best regards! > > Zeping Bai @bzp2010 >
