Once again local development, "No 'Access-Control-Allow-Origin' header is present on the requested resource" (despite config)--halp?

[vputz]

Ok, Ory in local on-machine kubernetes cluster via Helm chart, and I've tried versions 1.1.0 and 1.2.0 of the container. Kratos is configured with (obtained with kubectl describe cm kratos-config so this does seem to be what the container is doing)

serve:
  admin:
    port: 4434
  public:
    base_url: http://localhost:4433
    cors:
      allow_credentials: true
      allowed_headers:
      - Authorization
      - Cookie
      - Content-Type
      allowed_methods:
      - POST
      - GET
      - PUT
      - PATCH
      - DELETE
      - OPTIONS
      allowed_origins:
      - http://localhost
      - http://localhost:8280
      - '*'
      enabled: true
      exposed_headers:
      - Content-Type
      - Set-Cookie
    port: 4433

I can initiate a login flow with curl -X GET -H "Accept: application/json" http://localhost:4433/self-service/login/browser | jq and via my SPA; all this is good. But I can't complete the login flow without including the csrf token, and I can't include the csrf token without including the correct cookie, and it seems to do that I need to request with-credentials: true... and at that point my browser gets angry:

Access to XMLHttpRequest at 'http://localhost:4433/self-service/login?flow=3794ffb3-1531-434d-af7d-97e622325b63' from origin 'http://localhost:8280' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Attempting to simulate a CORS preflight by asking for options looks like this:

❯ curl -I -X OPTIONS -H "Accept: application/json" -H "Access-Control-Request_headers: X-Requested-With" "http://localhost:4433/self-service/login?flow=90f09a52-a0b5-48fd-8285-0ac46bfb7bf0"
HTTP/1.1 200 OK
Allow: GET, OPTIONS, POST
Vary: Origin
Vary: Cookie
Date: Thu, 27 Jun 2024 20:13:29 GMT
Content-Length: 0

And indeed I see no headers. I'm more new to CSRF and CORS than I probably should be, but when I've done searches it looks like most are "configure kratos to do cors", and I feel like that should be done? (it complains if I misspell any of the keys, so I think it is trying to use that config...)

Apologies for sounding so confused, but I've wrestled with this for some time now and am very confused.

[vinckr]

Hello @vputz
I am sorry that you are having a bad time.

The OPTIONS request you've shown doesn't include the Access-Control-Allow-Origin header in the response

The wildcard '*' is generally not recommended when allow_credentials is set to true.

Make sure that the Origin header in your request matches exactly one of the allowed origins. Browsers are strict about this matching.
Ory has a "deny by default" policy for CORS, which means the Access-Control-Allow-Origin header is only set on domains explicitly allowed in the configuration.