Envoy CORS missing headers access-control-allow-methods access-control-allow-headers

[AlexPo1234]

Title: Envoy CORS missing headers

Description:
I'm trying to add a CORS policy to my vhost in the ingress listener:

    - name: listener_1
      address:
        socket_address:
          protocol: TCP
          address: 0.0.0.0
          port_value: 443
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                codec_type: auto
                upgrade_configs:
                  upgrade_type: websocket
                access_log:
                  name: envoy.access_loggers.file
                  typed_config:
                    "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                    path: "/dev/stdout"
                stat_prefix: ingress_http
                http_protocol_options:
                  allow_chunked_length: true
                proxy_100_continue: true
                route_config:
                  name: local_route
                  virtual_hosts:
                    - name: web_servers
                      domains:
                        - "example.com"
                      routes:
                        - match:
                            prefix: "/"
                          route:
                            cluster: cluster_web_servers
                            timeout: 3s
                      cors:
                        allow_origin_string_match:
                          - prefix: "https://example.com"
                        allow_credentials: true
                        allow_headers: Accept, Content-Type, Cookie, Range, X-Auth-Token, X-Client-Request-Id, X-Upload-Id, X-User-Id
                        allow_methods: GET,POST,OPTIONS
                        max_age: "1728000"
                http_filters:
                  - name: envoy.cors
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
                  - name: envoy.filters.http.router
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

Envoy service start and work. When I make request with curl -H "Origin: https://example.com" https://example.com curl return response without header access-control-allow-methods and access-control-allow-headers:

HTTP/1.1 200 OK
x-xss-protection: 1
x-content-type-options: nosniff
x-frame-options: sameorigin
content-security-policy: default-src 'self' ; connect-src * blob:; font-src 'self'  data:; frame-src blob: web_server://* *; frame-ancestors https://example.com; img-src * blob: data:; media-src * data:; script-src 'self' 'unsafe-eval' ; style-src 'self' 'unsafe-inline'
x-instance-id: 7zkRt5H7pWxHo8DQ4
x-powered-by: Express
content-type: text/html; charset=utf-8
vary: Accept-Encoding
date: Thu, 25 Apr 2024 09:36:54 GMT
x-envoy-upstream-service-time: 9
access-control-allow-origin: https://example.com
access-control-allow-credentials: true
server: envoy
transfer-encoding: chunked

How I can add missing headers to Envoy response?

Tested on envoy versions 1.23.1, 1.30.1

[wbpcode]

https://fetch.spec.whatwg.org/#http-responses

access-control-allow-methods and access-control-allow-headers are only be added to the response to the prefight request. And typically you send a single cors request witch is not prefight request.

You can send a prefight request by set the request method to OPTION and add additional Access-Control-Request-Method header.