-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#71 Skip basic auth for OPTIONS http method #79
base: master
Are you sure you want to change the base?
Conversation
The OPTIONS needed for CORS requests Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
c4ec257
to
f041fc8
Compare
While I understand the need, I need to assess the security impact, as said in the issue. Not only for Prometheus but for generic exporters as well. |
It looks like the Prometheus golang API does not check the method. This fix would then disable basic auth for metrics endpoints if OPTIONS is used as method. |
I recently switched to Go and when I first time saw the HTTP handler API my first thought was "hey, here is not forced to check a method like in Java servlet api". Also all code examples even from go tour didn't handled this :( |
@stokito I agree, we should be much more careful about request method handling here and in other parts of the http handler(s). |
Hi, if you need my assistance I may try to contribute a little bit and fix parts. I can spent about 4-5 hours, just let me know where to change |
This is not safe. Instead we should try to reply ourselves when there is an OPTIONS query. It would mean moving CORS config into the toolkit. |
I will try to detail what I have in mind if it's not clear. |
Hello,
Don't you think that checking for When you say that you want to move CORS config in the toolkit, that would mean moving all this code, and the CORS origin regexp config value, into the toolkit? If so, that'd be a breaking change I assume, do you have a timeline for this change, or could some help make such a change come faster and available in prometheus API? |
The OPTIONS needed for CORS requests