-
-
Notifications
You must be signed in to change notification settings - Fork 589
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
POSTing a message returns 403 only when the Origin
header is set.
#580
Comments
You need to add example.com to the cors allowedorigins in the config file. You request is denied because the server thinks somehow example.com made a request out to gotify, so it denies it for security reasons. |
So I've had a play around and it looks like my issue was as a combination of two things:
Perhaps this could be in a documentation update, and maybe errors returned from config via environment variables? |
I think you might have misspelled the config name, I have to admit it is complicated to write entire configs in environment variables, but this one should panic as expected: > GOTIFY_SERVER_CORS_ALLOWORIGINS="[\")example.com\"]" go run -ldflags="-X main.Mode=prod" . (base)
Starting Gotify version unknown@unknown
panic: regexp: Compile(`)example.com`): error parsing regexp: unexpected ): `)example.com` Another possibility is you are running in dev mode, in dev mode the server ignores this option altogether. |
Can the issue be reproduced with the latest available release? (y/n) yes
Which one is the environment gotify server is running in?
Docker startup command or config file here (please mask sensitive information)
Do you have an reverse proxy installed in front of gotify server? (Please select None if the problem can be reproduced without the presense of a reverse proxy)
Reverse proxy configuration (please mask sensitive information)
On which client do you experience problems? (Select as many as you can see)
What did you do?
Triggering a request to gotify through Javascript sends it alongside some default headers, one of which is
Origin
.What did you expect to see?
Sending a cURL request to gotify without an
Origin
header works as expected:What did you see instead? (Include screenshots, android logcat/request dumps if possible)
Sending a cURL request to gotify with an
Origin
header set returns a 403:Note that the example curl requests here are sent from within the container itself to eliminate other causes.
The text was updated successfully, but these errors were encountered: