No CORS headers on /oauth/token
Summary
The /oauth/token endpoint does not specify accepted origin, making OAuth token requests from a browser impossible.
Steps to reproduce
Do a POST request with an origin != gitlab.com to https://gitlab.com/oauth/token by a OAuth2 application running in an environment with CORS support, a browser for example. The request is rejected by the browser with CORS violation:
Access to fetch at 'https://gitlab.com/oauth/token' from origin 'chrome-extension://aipojhhnnbhdaipedcdlmfgaloobeeii' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.Example Project
What is the current bug behavior?
- No
Access-Control-Allow-Originon requests to https://gitlab.com/oauth/token. - No support for
OPTIONSrequests for CORS preflight requests.
What is the expected correct behavior?
Proper support for CORS to do OAuth2 from within a browser. See https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS.
- Set header
Access-Control-Allow-Origin: *. - Support
OPTIONSrequests for CORS preflight.
Relevant logs and/or screenshots
% curl -D - -X POST -o /dev/null https://gitlab.com/oauth/token 2> /dev/null
HTTP/2 400
date: Tue, 26 Jan 2021 20:42:25 GMT
content-type: application/json; charset=utf-8
content-length: 89
set-cookie: __cfduid=da99022c2b85642995aa13466ca708f121611693745; expires=Thu, 25-Feb-21 20:42:25 GMT; path=/; domain=.gitlab.com; HttpOnly; SameSite=Lax; Secure
cache-control: private, no-store
pragma: no-cache
www-authenticate: Bearer realm="Doorkeeper", error="invalid_request", error_description="Missing required parameter: grant_type."
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-request-id: 01EX06XSHQYMSMP4F9KR0JVVF9
x-runtime: 0.016636
x-xss-protection: 1; mode=block
gitlab-lb: fe-11-lb-gprd
gitlab-sv: web-05-sv-gprd
cf-cache-status: DYNAMIC
cf-request-id: 07e207fdd100002355d4b12000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 617d0f761e7b2355-ZRHOutput of checks
This bug happens on GitLab.com
Possible fixes
Edited by Bastian Blank