Merge pull request #48209 from thaJeztah/remove_deprecated_cors_headers

remove support for setting CORS headers (deprecated)
2026-01-11 18:51:37 +00:00 · 2024-07-26 12:11:20 +02:00
parent 951a04cc01 ae96ce866f
commit 08d7b56169
4 changed files with 9 additions and 51 deletions
--- a/api/server/middleware/cors.go
+++ b/api/server/middleware/cors.go
@@ -1,42 +0,0 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
-
-import (
-	"context"
-	"net/http"
-
-	"github.com/containerd/log"
-	"github.com/docker/docker/api/types/registry"
-)
-
-// CORSMiddleware injects CORS headers to each request
-// when it's configured.
-//
-// Deprecated: CORS headers should not be set on the API. This feature will be removed in the next release.
-type CORSMiddleware struct {
-	defaultHeaders string
-}
-
-// NewCORSMiddleware creates a new CORSMiddleware with default headers.
-//
-// Deprecated: CORS headers should not be set on the API. This feature will be removed in the next release.
-func NewCORSMiddleware(d string) CORSMiddleware {
-	return CORSMiddleware{defaultHeaders: d}
-}
-
-// WrapHandler returns a new handler function wrapping the previous one in the request chain.
-func (c CORSMiddleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-		// If "api-cors-header" is not given, but "api-enable-cors" is true, we set cors to "*"
-		// otherwise, all head values will be passed to HTTP handler
-		corsHeaders := c.defaultHeaders
-		if corsHeaders == "" {
-			corsHeaders = "*"
-		}
-
-		log.G(ctx).Debugf("CORS header is enabled and set to: %s", corsHeaders)
-		w.Header().Add("Access-Control-Allow-Origin", corsHeaders)
-		w.Header().Add("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, "+registry.AuthHeader)
-		w.Header().Add("Access-Control-Allow-Methods", "HEAD, GET, POST, DELETE, PUT, OPTIONS")
-		return handler(ctx, w, r, vars)
-	}
-}
--- a/cmd/dockerd/config.go
+++ b/cmd/dockerd/config.go
@@ -75,7 +75,8 @@ func installCommonConfigFlags(conf *config.Config, flags *pflag.FlagSet) {

 	// Deprecated flags / options

-	flags.StringVar(&conf.CorsHeaders, "api-cors-header", "", "Set CORS headers in the Engine API; deprecated, and will be removed in the next release")
+	// TODO(thaJeztah): option is used to produce error when used; remove in next release
+	flags.StringVar(&conf.CorsHeaders, "api-cors-header", "", "Set CORS headers in the Engine API; deprecated: this feature was deprecated in 27.0, and now removed")
 	_ = flags.MarkDeprecated("api-cors-header", "accessing Docker API through a browser is insecure; use a reverse proxy if you need CORS headers")
 	flags.BoolVarP(&conf.AutoRestart, "restart", "r", true, "--restart on the daemon has been deprecated in favor of --restart policies on docker run")
 	_ = flags.MarkDeprecated("restart", "Please use a restart policy on docker run")
--- a/cmd/dockerd/daemon.go
+++ b/cmd/dockerd/daemon.go
@@ -735,7 +735,7 @@ func (opts routerOptions) Build() []router.Router {
 	return routers
 }

-func initMiddlewares(ctx context.Context, s *apiserver.Server, cfg *config.Config, pluginStore plugingetter.PluginGetter) (*authorization.Middleware, error) {
+func initMiddlewares(_ context.Context, s *apiserver.Server, cfg *config.Config, pluginStore plugingetter.PluginGetter) (*authorization.Middleware, error) {
 	exp := middleware.NewExperimentalMiddleware(cfg.Experimental)
 	s.UseMiddleware(exp)

@@ -745,12 +745,6 @@ func initMiddlewares(ctx context.Context, s *apiserver.Server, cfg *config.Confi
 	}
 	s.UseMiddleware(*vm)

-	if cfg.CorsHeaders != "" && os.Getenv("DOCKERD_DEPRECATED_CORS_HEADER") != "" {
-		log.G(ctx).Warn(`DEPRECATED: The "api-cors-header" config parameter and the dockerd "--api-cors-header" option will be removed in the next release. Use a reverse proxy if you need CORS headers.`)
-		c := middleware.NewCORSMiddleware(cfg.CorsHeaders) //nolint:staticcheck // ignore SA1019 (NewCORSMiddleware is deprecated); will be removed in the next release.
-		s.UseMiddleware(c)
-	}
-
 	authzMiddleware := authorization.NewMiddleware(cfg.AuthorizationPlugins, pluginStore)
 	s.UseMiddleware(authzMiddleware)
 	return authzMiddleware, nil
--- a/daemon/config/config.go
+++ b/daemon/config/config.go
@@ -160,7 +160,7 @@ type CommonConfig struct {
 	Root                  string   `json:"data-root,omitempty"`
 	ExecRoot              string   `json:"exec-root,omitempty"`
 	SocketGroup           string   `json:"group,omitempty"`
-	CorsHeaders           string   `json:"api-cors-header,omitempty"` // Deprecated: CORS headers should not be set on the API. This feature will be removed in the next release.
+	CorsHeaders           string   `json:"api-cors-header,omitempty"` // Deprecated: CORS headers should not be set on the API. This feature will be removed in the next release. // TODO(thaJeztah): option is used to produce error when used; remove in next release

 	// Proxies holds the proxies that are configured for the daemon.
 	Proxies `json:"proxies"`
@@ -683,6 +683,11 @@ func Validate(config *Config) error {
 		}
 	}

+	if config.CorsHeaders != "" {
+		// TODO(thaJeztah): option is used to produce error when used; remove in next release
+		return errors.New(`DEPRECATED: The "api-cors-header" config parameter and the dockerd "--api-cors-header" option have been removed; use a reverse proxy if you need CORS headers`)
+	}
+
 	// validate platform-specific settings
 	return config.ValidatePlatformConfig()
 }