Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS is not effective to restrict access #10276

Open
1 task done
SedatDe opened this issue Jan 2, 2025 · 2 comments
Open
1 task done

CORS is not effective to restrict access #10276

SedatDe opened this issue Jan 2, 2025 · 2 comments
Labels
bug Something isn't working

Comments

@SedatDe
Copy link

SedatDe commented Jan 2, 2025

Describe the bug

If I mount gradio app on FastAPI, and use CORSMiddleware from FastAPI, it does not seem to apply restriction. It just reflects given origin header of request in access-control-allow-origin of response header . However, if I use just a FastAPI route rather than a gradio app, this does not happen.

Have you searched existing issues? 🔎

  • I have searched and found no existing issues

Reproduction

Here is the gradio mounted example (example-1):

from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
import gradio as gr
import uvicorn

app = FastAPI()
app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://example.com"]
)

with gr.Blocks() as demo:
    gr.Textbox("hello")
    
app = gr.mount_gradio_app(app, demo, path="/")
uvicorn.run(app, host="0.0.0.0", port=55800)

Here is the pure FastAPI example (example-2):

from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
import uvicorn

app = FastAPI()
app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://example.com"]
)

@app.get("/")
async def root():
    return {"message": "Hello"}

uvicorn.run(app, host="0.0.0.0", port=55800)

If I make a request with the following

curl -i http://10.255.83.104:55800/ -H "Origin: https://malicious.com"

Example-1 returns access-control-allow-origin with whatever is given in origin header.

HTTP/1.1 200 OK
date: Thu, 02 Jan 2025 10:44:18 GMT
server: uvicorn
content-length: 4097
content-type: text/html; charset=utf-8
access-control-allow-credentials: true
access-control-allow-origin: https://malicious.com
vary: Origin

Example-2 does not return access-control-allow-origin, namely applies the expected restriction.

HTTP/1.1 200 OK
date: Thu, 02 Jan 2025 10:43:48 GMT
server: uvicorn
content-length: 19
content-type: application/json

Screenshot

No response

Logs

No response

System Info

Operating System: Linux
gradio version: 5.7.1
gradio_client version: 1.5.0

Severity

Blocking usage of gradio
@SedatDe SedatDe added the bug Something isn't working label Jan 2, 2025
@abidlabs
Copy link
Member

abidlabs commented Jan 2, 2025

Hi @SedatDe the reason for this is that Gradio includes its own cors middleware which behaves as you described. Perhaps you can get around this by mounting your cors middleware after mounting the gradio app -- can you try this?

from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
import gradio as gr
import uvicorn

app = FastAPI()

with gr.Blocks() as demo:
    gr.Textbox("hello")
    
app = gr.mount_gradio_app(app, demo, path="/")

app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://example.com"]
)

uvicorn.run(app, host="0.0.0.0", port=55800)

@SedatDe
Copy link
Author

SedatDe commented Jan 2, 2025

Hi @abidlabs thank you for your quick response.
I tried your suggestion, but I still get access-control-allow-origin: https://malicious.com response header.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abidlabs @SedatDe