I am curious about why a break change is needed. The problem is, "use
only allow_origins_by_regex without setting the allow_origins
configuration doesn't work". "Ignoring the text mode when the regular
mode is used
and the text mode is `*` " can solve this problem and bring the least
break change. Making a breaking change will make it tough to backport
a bugfix to LTS version.

Zeping Bai <bzp2...@apache.org> 于2022年9月21日周三 10:24写道:
>
> >  IMHO, I suggest ignoring the text mode when the regular mode is used
> and the text mode is `*`. This change won't break the existing
> configuration.
>
> Yes, I think we can do that, and I will impose soft restrictions for text
> patterns
> and regular patterns instead of hard restrictions using jsonschema. They
> can still both be configured, but the behavior will be different from the
> original.
>
> > This change will be a break change as we can use both text mode and
> regular mode now and it can work well if the text mode isn't `*`. If
> we make a break change to solve the problem, I am afraid we can't
> backport it to the LTS version.
>
> Emmm I'm not sure how we should do it, in some perspective this issue is
> undoubtedly a bug and we need to have ways to fix it. Maybe we can't
> port it in LTS, but it should be added to the pending release of 3.0.
>
> Zexuan Luo <spacewan...@apache.org> 于2022年9月21日周三 10:03写道:
>
> > IMHO, I suggest ignoring the text mode when the regular mode is used
> > and the text mode is `*`. This change won't break the existing
> > configuration.
> >
> > > Therefore, I think text mode and regular mode should be mutually
> > exclusive, and
> > text mode should not have a default value of "*".
> >
> > This change will be a break change as we can use both text mode and
> > regular mode now and it can work well if the text mode isn't `*`. If
> > we make a break change to solve the problem, I am afraid we can't
> > backport it to LTS version.
> >
> > Zeping Bai <bzp2...@apache.org> 于2022年9月20日周二 18:02写道:
> > >
> > > *Background:*
> > > Currently, APISIX has a cors plugin to address browser cross-domain
> > issues,
> > > which will handle browser requests and dynamically add allow headers.
> > > It contains an allow_origins option for handling client sources, which
> > > allows
> > > both allow_origins (hereafter referred to as text mode) and
> > > allow_origins_by_regex (hereafter referred to as regular mode), but they
> > are
> > > now not mutually exclusive, they now use logic that first checks using
> > text
> > > mode
> > > and returns it directly if the match is successful, and then matches
> > regular
> > > mode if it fails so in effect regular mode is a fallback option for text
> > > mode.
> > >
> > > *Problem:*
> > > When we want to use regular mode only without giving preference to text
> > > mode,
> > > you will find that we cannot achieve it through the normal way.
> > > When you use only allow_origins_by_regex without setting the
> > allow_origins
> > > configuration, APISIX automatically adds the default value "*" to
> > > allow_origins, so
> > > it directly bypasses the regular pattern configuration you defined, which
> > > is obviously
> > > wrong and dangerous.
> > > If you must configure it this way, you can only configure an address for
> > > text mode
> > > that can never be accessed, i.e. ensure that text mode never matches.
> > This
> > > is neither
> > > elegant nor secure.
> > >
> > > Therefore, I think text mode and regular mode should be mutually
> > exclusive,
> > > and
> > > text mode should not have a default value of "*".
> > >
> > >
> > > What do you think?
> > >
> > > Best regards!
> > > Zeping Bai  @bzp2010
> >

Reply via email to