Improper definition of exposedHeaders in sites/default/default.services.yml causes the following watchdog error.
Warning: implode(): Invalid arguments passed in Asm89\Stack\CorsService->addActualRequestHeaders() (line 85 of /my/drupal/vendor/asm89/stack-cors/src/Asm89/Stack/CorsService.php)
#0 /my/drupal/core/includes/bootstrap.inc(566): _drupal_error_handler_real(2, 'implode(): Inva...', '/my/drupal/...', 85, Array)
#1 [internal function]: _drupal_error_handler(2, 'implode(): Inva...', '/my/drupal/...', 85, Array)
#2 /my/drupal/vendor/asm89/stack-cors/src/Asm89/Stack/CorsService.php(85): implode(', ', true)
#3 /my/drupal/vendor/asm89/stack-cors/src/Asm89/Stack/Cors.php(53): Asm89\Stack\CorsService->addActualRequestHeaders(Object(Symfony\Component\HttpFoundation\JsonResponse), Object(Symfony\Component\HttpFoundation\Request))
#4 /my/drupal/core/lib/Drupal/Core/StackMiddleware/ReverseProxyMiddleware.php(47): Asm89\Stack\Cors->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#5 /my/drupal/core/lib/Drupal/Core/StackMiddleware/NegotiationMiddleware.php(50): Drupal\Core\StackMiddleware\ReverseProxyMiddleware->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#6 /my/drupal/vendor/stack/builder/src/Stack/StackedHttpKernel.php(23): Drupal\Core\StackMiddleware\NegotiationMiddleware->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#7 /my/drupal/core/lib/Drupal/Core/DrupalKernel.php(656): Stack\StackedHttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#8 /my/drupal/index.php(19): Drupal\Core\DrupalKernel->handle(Object(Symfony\Component\HttpFoundation\Request)) #9 {main}.
This is due to the fact that asm89/stack-cors expects exposedHeaders to either be false, or an array. If you end up setting this to true it tries to implode a boolean and throws an error.
Comment | File | Size | Author |
---|
Issue fork drupal-2905848
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
firewaller CreditAttribution: firewaller commentedSame here. +1
Comment #3
sic CreditAttribution: sic commentedIn my case it was due to a wrong CORS setup. I just had the exposed headers set to true, which makes no sense :) Try to backtrace the cause.
Comment #4
johnhanley CreditAttribution: johnhanley as a volunteer commentedI just encountered this today.
If you look at line 94 in CorsService.php (Drupal 8.4.4), it's expecting an array and not a Boolean.
$response->headers->set('Access-Control-Expose-Headers', implode(', ', $this->options['exposedHeaders']));
Defining 'exposedHeaders' as 'true' rightfully produces an error in the log.
So what's the purpose of this property? Should it contain the same header array as the allowedHeaders property?
Comment #5
mikejoconnor CreditAttribution: mikejoconnor commentedIt seems like a good short term solution to this issue would be to provide some better help text in sites/default/default.services.yml.
Comment #6
mikejoconnor CreditAttribution: mikejoconnor commentedComment #7
mikejoconnor CreditAttribution: mikejoconnor commentedComment #8
dawehnerThank you for improving the documentation by giving an example too.
Comment #9
alexpott+1 for improving the docs but I think it can be a little bit more specific. The exposedHeaders value expects a sequence - ie it can be:
or
I was thinking of just recommend changing
To modify the exposed headers use a comma delimited list.
toTo modify the exposed headers use a comma delimited list within square brackets
because the within square brackets and then I just ended up reading all the CORS docs and thought if we improve this one why not improve them all and require less cognitive overload on the person doing the configuring.Comment #11
littletiger CreditAttribution: littletiger commented@alexpott
There seems to be an error in your patch? Code for exposed headers only handles the imploding of an array of values. There is no wildcard support for that property.
Comment #12
alexpott@littletiger I was probably going on the patch in #5. But looking at the docs the situation is complex :) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control...
Comment #15
mr.baileysStatement is switching between singular and plural (specify/sets). I think this should be either singular (specify/set) or plural (specifies/sets). Same goes for the allowedMethods comment.
This looks ok to me. Setting
exposedHeaders: ['*']
will result in aAccess-Control-Expose-Headers: *
response header, which is valid according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control....Setting this value to '0' or false will omit the Access-Control-Max-Age header from the response. However, setting it to '-1' will explicitly disable caching, we might want to add that to the comment.
Simple changes to the existing patch, so tagging novice.
Comment #16
shimpyI have created a patch with the mentioned suggestions in #15. Please review if more changes are required.
Comment #18
mr.baileysThanks @shimpy, changes look good. Before we can do a final review, we need to address the test failure: this is caused by #3067645: Add core scaffold assets to drupal/core's composer.json extra field, which landed a month ago. From now until 9.x, changes to default.services.yml will need to be made both in
/sites/default/
and/core/assets/scaffold/files/
(the linked issue explains the reasoning for this).Comment #19
mr.baileysStill a novice issue, since the only required change is to copy /sites/default/default.services.yml to /core/assets/scaffold/files/default.services.yml and re-roll the patch with both files changed.
Comment #20
shimpyHii @mr.baileys
Thanks for the suggestion. I have recreated a patch as per #19. Please review.
Comment #22
mr.baileysFailed patch is a random test failure caused by #3041318: Various random fails due to mis-triggered Mink deprecation error, re-test requested.
Comment #23
mr.baileysComment #24
shimpy@mr.baileys
I have restested it.. It pass all tests.
Comment #25
longwaveThe wording here still needs a bit of work. "headers" when there is only one header, "the this" doesn't make sense either.
Comment #26
MeenakshiG CreditAttribution: MeenakshiG at OpenSense Labs for DrupalFit commentedFixed the wordings
Comment #28
longwaveAs per the previous patches we need to ensure that /sites/default/default.services.yml and /core/assets/scaffold/files/default.services.yml are changed in exactly the same way.
Comment #29
shimpyI have updated both the files. Please review.
Comment #33
larowlanI think we should word this as per the above
For example, ['Content-Type', 'Expires'] or ['*'] to expose all headers.
I this this is missing some words before 600
suggest. For example, setting the value to 600 will cache results of a preflight for 10 minutes.
Comment #37
needs-review-queue-bot CreditAttribution: needs-review-queue-bot as a volunteer commentedThe Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.
Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.
Comment #38
kkalashnikov CreditAttribution: kkalashnikov as a volunteer and at Srijan | A Material+ Company for Drupal India Association commentedPatch for Drupal version 10.1.x
Comment #39
kkalashnikov CreditAttribution: kkalashnikov as a volunteer and at Srijan | A Material+ Company for Drupal India Association commentedComment #40
smustgrave CreditAttribution: smustgrave at Mobomo commentedPoints in #33 were not addressed.
Not ready for review yet.
Comment #41
adeshsharma CreditAttribution: adeshsharma at OpenSense Labs for DrupalFit commentedComment #42
smustgrave CreditAttribution: smustgrave at Mobomo commentedNow the strings are going over 80 characters per line.
Comment #43
adeshsharma CreditAttribution: adeshsharma at OpenSense Labs for DrupalFit commentedComment #44
adeshsharma CreditAttribution: adeshsharma at OpenSense Labs for DrupalFit commentedFixed docs' lines having characters above 80 in a single line.
Comment #45
smustgrave CreditAttribution: smustgrave at Mobomo commentedThanks!
Comment #46
larowlanI think this should be 'allow any origin to access your resource' rather than 'resource to access your resource'
There's still a few lines that don't wrap at 80 chars too (At least according to dreditor)
Comment #48
urvashi_vora CreditAttribution: urvashi_vora at Valuebound for Valuebound commentedHi @larowlan,
As per your suggestion, I have made changes with respect to patch #44.
Corrected the sentence. Please verify.
Setting the issue status to Needs Review.
Also, I am uploading a patch along with an interdiff file.
Thanks.
Comment #50
Rishabh Vishwakarma CreditAttribution: Rishabh Vishwakarma at OpenSense Labs for DrupalFit commentedResolved errors from #48
Comment #51
urvashi_vora CreditAttribution: urvashi_vora at Valuebound for Valuebound commentedShoot.
I guess some tech stack issue with my system probably.
Kindly, Ignore #44.
Also, @Rishabh, thanks for the patch and interdiff, but I believe @larowlan asked to change the sentence in "core/assets/scaffold/files/default.services.yml" but your interdiff showcases the changes in "sites/default/default.services.yml".
Please guide me, if I am getting this wrong anywhere.
Re-attaching the interdiff file with patch.
Thank You !
Comment #54
adeshsharma CreditAttribution: adeshsharma at OpenSense Labs for DrupalFit commentedComment #55
adeshsharma CreditAttribution: adeshsharma at OpenSense Labs for DrupalFit commentedFixed 'resource' to origin in both the files as suggested by larowlan in #46.
Comment #56
smustgrave CreditAttribution: smustgrave at Mobomo commentedComment #57
edysmpdoes this need issue summary update?
Comment #60
urvashi_vora CreditAttribution: urvashi_vora at Valuebound for Valuebound commentedHi,
I tested the patch of #55 in d11, it works fine, applies cleanly. Since, the issue has changed to 11.x, providing the patch for 11.x.
Comment #61
smustgrave CreditAttribution: smustgrave at Mobomo commentedHiding #60. Thank you but #55 applied cleanly to 11.x so #60 is just a re-upload from what I can tell, since there was no interdiff.
Can run the 11.x tests by clicking the "Add test/retest" link. Queued #55 for 11.x tests.
But #57 I believe is correct in that IS should be updated about what is being accomplished. Me marking RTBC in #56 was incorrect on my part.
Comment #62
mr.baileysThis line should wrap at 80 characters. This will also fix the fact that header name and value are currently split over 2 lines.
Line wrapping should be fixed.
It might make sense to merge #2905848: Improve documentation for cors configuration. and this issue, since that issue is about adding and documenting the new
allowedOriginsPatterns
-option tocors.config
indefault.services.yml
.Comment #63
pradhumanjain2311 CreditAttribution: pradhumanjain2311 at OpenSense Labs for DrupalFit commentedMade changes as per comment #62.
Please review.
Comment #64
needs-review-queue-bot CreditAttribution: needs-review-queue-bot as a volunteer commentedThe Needs Review Queue Bot tested this issue.
While you are making the above changes, we recommend that you convert this patch to a merge request. Merge requests are preferred over patches. Be sure to hide the old patch files as well. (Converting an issue to a merge request without other contributions to the issue will not receive credit.)
Comment #67
sourabhjainComment #68
needs-review-queue-bot CreditAttribution: needs-review-queue-bot as a volunteer commentedThe Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".
This does not mean that the patch needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.
Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.
Comment #69
BramDriesenThis still needs a rebase which was not addressed in the creation of the MR.
Remember to hide all patch files when switching to a MR.
Comment #70
sourabhjainHi @xjm @smustgrave
I intentionally deferred work on these issues. All the updates were made on November 14, 2023, and I've been addressing them sequentially in the Drupal issue queue without initially considering the tags assigned to each. I acknowledge this oversight and apologize for any confusion. Moving forward, I will ensure to prioritize and address issues based on their respective tags.