feat: multiple-cors-allow-origin support

[tokers]

What this PR does / why we need it:

This Pull Request extended the "nginx.ingress.kubernetes.io/cors-allow-origin" annotation to accept multiple origin values.

It doesn't break the backward compatibility, "nginx.ingress.kubernetes.io/cors-allow-origin" still can accept a single origin. Each value in this annotation will be checked and as long as one of them is invalid, default value "*" for "nginx.ingress.kubernetes.io/cors-allow-origin" will be applied.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Which issue/s this PR fixes

#5496

How Has This Been Tested?

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I've read the CONTRIBUTION guide
• I have added tests to cover my changes.
• All new and existing tests passed.

[k8s-ci-robot]

Hi @tokers. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tao12345666333]

/ok-to-test

[tao12345666333]

/lgtm

[rjvim]

+1

[rikatz]

/lgtm
/approve

Thank you!!

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rikatz, tao12345666333, tokers

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rikatz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[arianvp]

This implementation is incorrect. Access-Control-Allow-Origin header doesn't support multiple values like this. You can only return one Origin in the header. The server should decide whether the client's Origin matches a predefined list and then return only one.

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

Specifies an origin. Only a single origin can be specified. If the server supports clients from multiple origins, it must return the origin for the specific client making the request.

In nginx this should be implemented by checking $http_origin against a predefined list and then returning Access-Control-Allow-Origin: $http_origin

This can be accomplished with a map expression:

map $http_origin $cors_header {
  default "";
  "https://a.example.com" $http_origin;
  "https://b.example.com" $http_origin;
}
more_set_headers "Access-Control-Allow-Origin: $cors_header";

[tokers]

@arianvp Thanks for your report, I have created a new issue #7162 to track this problem.