I am curious about why a break change is needed. The problem is, "use only allow_origins_by_regex without setting the allow_origins configuration doesn't work". "Ignoring the text mode when the regular mode is used and the text mode is `*` " can solve this problem and bring the least break change. Making a breaking change will make it tough to backport a bugfix to LTS version.
Zeping Bai <bzp2...@apache.org> 于2022年9月21日周三 10:24写道: > > > IMHO, I suggest ignoring the text mode when the regular mode is used > and the text mode is `*`. This change won't break the existing > configuration. > > Yes, I think we can do that, and I will impose soft restrictions for text > patterns > and regular patterns instead of hard restrictions using jsonschema. They > can still both be configured, but the behavior will be different from the > original. > > > This change will be a break change as we can use both text mode and > regular mode now and it can work well if the text mode isn't `*`. If > we make a break change to solve the problem, I am afraid we can't > backport it to the LTS version. > > Emmm I'm not sure how we should do it, in some perspective this issue is > undoubtedly a bug and we need to have ways to fix it. Maybe we can't > port it in LTS, but it should be added to the pending release of 3.0. > > Zexuan Luo <spacewan...@apache.org> 于2022年9月21日周三 10:03写道: > > > IMHO, I suggest ignoring the text mode when the regular mode is used > > and the text mode is `*`. This change won't break the existing > > configuration. > > > > > Therefore, I think text mode and regular mode should be mutually > > exclusive, and > > text mode should not have a default value of "*". > > > > This change will be a break change as we can use both text mode and > > regular mode now and it can work well if the text mode isn't `*`. If > > we make a break change to solve the problem, I am afraid we can't > > backport it to LTS version. > > > > Zeping Bai <bzp2...@apache.org> 于2022年9月20日周二 18:02写道: > > > > > > *Background:* > > > Currently, APISIX has a cors plugin to address browser cross-domain > > issues, > > > which will handle browser requests and dynamically add allow headers. > > > It contains an allow_origins option for handling client sources, which > > > allows > > > both allow_origins (hereafter referred to as text mode) and > > > allow_origins_by_regex (hereafter referred to as regular mode), but they > > are > > > now not mutually exclusive, they now use logic that first checks using > > text > > > mode > > > and returns it directly if the match is successful, and then matches > > regular > > > mode if it fails so in effect regular mode is a fallback option for text > > > mode. > > > > > > *Problem:* > > > When we want to use regular mode only without giving preference to text > > > mode, > > > you will find that we cannot achieve it through the normal way. > > > When you use only allow_origins_by_regex without setting the > > allow_origins > > > configuration, APISIX automatically adds the default value "*" to > > > allow_origins, so > > > it directly bypasses the regular pattern configuration you defined, which > > > is obviously > > > wrong and dangerous. > > > If you must configure it this way, you can only configure an address for > > > text mode > > > that can never be accessed, i.e. ensure that text mode never matches. > > This > > > is neither > > > elegant nor secure. > > > > > > Therefore, I think text mode and regular mode should be mutually > > exclusive, > > > and > > > text mode should not have a default value of "*". > > > > > > > > > What do you think? > > > > > > Best regards! > > > Zeping Bai @bzp2010 > >
