Skip to content

Commit 7ea9acc

Browse files
akerouantonakerouanton
committed
cmd/dockerd: deprecate api-cors-header
CORS headers were originally added by 6d5bdff. These headers could be set without any Authz plugin enabled beforehand, making this feature quite dangerous. This commit marks the daemon flag `api-cors-header` as deprecated and requires the env var `DOCKERD_DEPRECATED_CORS_HEADER` to be set. When enabled, the daemon will write a deprecation warning to the logs and the endpoint `GET /info` will return the same deprecation warning. Signed-off-by: Albin Kerouanton <[email protected]> Signed-off-by: Sebastiaan van Stijn <[email protected]>
1 parent 4d525c9 commit 7ea9acc

5 files changed

Lines changed: 14 additions & 4 deletions

File tree

api/server/middleware/cors.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,11 +10,15 @@ import (
1010

1111
// CORSMiddleware injects CORS headers to each request
1212
// when it's configured.
13+
//
14+
// Deprecated: CORS headers should not be set on the API. This feature will be removed in the next release.
1315
type CORSMiddleware struct {
1416
defaultHeaders string
1517
}
1618

1719
// NewCORSMiddleware creates a new CORSMiddleware with default headers.
20+
//
21+
// Deprecated: CORS headers should not be set on the API. This feature will be removed in the next release.
1822
func NewCORSMiddleware(d string) CORSMiddleware {
1923
return CORSMiddleware{defaultHeaders: d}
2024
}

cmd/dockerd/config.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,6 @@ func installCommonConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
5353
flags.StringVar(&conf.LogConfig.Type, "log-driver", "json-file", "Default driver for container logs")
5454
flags.Var(opts.NewNamedMapOpts("log-opts", conf.LogConfig.Config, nil), "log-opt", "Default log driver options for containers")
5555

56-
flags.StringVar(&conf.CorsHeaders, "api-cors-header", "", "Set CORS headers in the Engine API")
5756
flags.IntVar(&conf.MaxConcurrentDownloads, "max-concurrent-downloads", conf.MaxConcurrentDownloads, "Set the max concurrent downloads")
5857
flags.IntVar(&conf.MaxConcurrentUploads, "max-concurrent-uploads", conf.MaxConcurrentUploads, "Set the max concurrent uploads")
5958
flags.IntVar(&conf.MaxDownloadAttempts, "max-download-attempts", conf.MaxDownloadAttempts, "Set the max download attempts for each pull")
@@ -76,6 +75,8 @@ func installCommonConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
7675

7776
// Deprecated flags / options
7877

78+
flags.StringVar(&conf.CorsHeaders, "api-cors-header", "", "Set CORS headers in the Engine API; deprecated, and will be removed in the next release")
79+
_ = flags.MarkDeprecated("api-cors-header", "accessing Docker API through a browser is insecure; use a reverse proxy if you need CORS headers")
7980
flags.BoolVarP(&conf.AutoRestart, "restart", "r", true, "--restart on the daemon has been deprecated in favor of --restart policies on docker run")
8081
_ = flags.MarkDeprecated("restart", "Please use a restart policy on docker run")
8182

cmd/dockerd/daemon.go

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -729,8 +729,9 @@ func initMiddlewares(s *apiserver.Server, cfg *config.Config, pluginStore plugin
729729
}
730730
s.UseMiddleware(*vm)
731731

732-
if cfg.CorsHeaders != "" {
733-
c := middleware.NewCORSMiddleware(cfg.CorsHeaders)
732+
if cfg.CorsHeaders != "" && os.Getenv("DOCKERD_DEPRECATED_CORS_HEADER") != "" {
733+
logrus.Warnf(`DEPRECATED: The "api-cors-header" config parameter and the dockerd "--api-cors-header" option will be removed in the next release. Use a reverse proxy if you need CORS headers.`)
734+
c := middleware.NewCORSMiddleware(cfg.CorsHeaders) //nolint:staticcheck // ignore SA1019 (NewCORSMiddleware is deprecated); will be removed in the next release.
734735
s.UseMiddleware(c)
735736
}
736737

daemon/config/config.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -160,7 +160,7 @@ type CommonConfig struct {
160160
Root string `json:"data-root,omitempty"`
161161
ExecRoot string `json:"exec-root,omitempty"`
162162
SocketGroup string `json:"group,omitempty"`
163-
CorsHeaders string `json:"api-cors-header,omitempty"`
163+
CorsHeaders string `json:"api-cors-header,omitempty"` // Deprecated: CORS headers should not be set on the API. This feature will be removed in the next release.
164164

165165
// Proxies holds the proxies that are configured for the daemon.
166166
Proxies `json:"proxies"`

daemon/info.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -235,6 +235,10 @@ func (daemon *Daemon) fillAPIInfo(v *system.Info, cfg *config.Config) {
235235
to the 'Docker daemon attack surface' section in the documentation for
236236
more information: https://docs.docker.com/go/attack-surface/`
237237

238+
if cfg.CorsHeaders != "" {
239+
v.Warnings = append(v.Warnings, `DEPRECATED: The "api-cors-header" config parameter and the dockerd "--api-cors-header" option will be removed in the next release. Use a reverse proxy if you need CORS headers.`)
240+
}
241+
238242
for _, host := range cfg.Hosts {
239243
// cnf.Hosts is normalized during startup, so should always have a scheme/proto
240244
proto, addr, _ := strings.Cut(host, "://")

0 commit comments

Comments
 (0)