Istio 1.6 AuthorizationPolicy does not have proper response code if coming from cross origin

问题

We have implemented this security filter to pre-validate our JWT token before it reaches the backend services. It is helpful that it can checks some condition that will be your criteria to accept or reject a request.

Our problem now is when you send your request to a different URL (which we already configured the CORS policy in VirtualService), the policy rejected the request and doesn't return with Access-Control-Allow-Origin in the header where it triggers the CORS blocking in Chrome browser.

Here's some example definitions:

Custom Ingress Gateway's policy

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: custom-ingress
  namespace: istio-system
spec:
  selector:
    matchLabels:
      gateway-name: custom-ingress
  jwtRules:
  - issuer: https://some-issuer.com/
    jwksUri: https://some-issuer.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: custom-ingress
  namespace: istio-system
spec:
  selector:
    matchLabels:
      gateway-name: custom-ingress
  action: DENY
  rules:
  - from:
    - source:
        notRequestPrincipals: ["*"]
    to: 
    - operation:
        methods: ["POST"]
        paths:
        - /restricted/path/A
        - /restricted/path/B
        - /restricted/path/C

Service Virtual Service

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: my-service
spec:
  hosts:
    - some-host.com
  gateways:
    - istio-system/custom-gateway
  http:
    - name: my-service-route
      match:
        - uri:
            exact: /restricted/path/A
      rewrite:
        uri: /A
      route:
        - destination:
            host: my-service
            subset: stable
            port:
              number: 8080
      corsPolicy:
        allowOrigins:
        - prefix: https://some-origin.com
        allowMethods:
        - OPTIONS
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
        allowCredentials: false
        allowHeaders:
        - authorization
        - content-type
        - accept
        - origin
        - grpc-timeout
        - keep-alive
        - user-agent
        - cache-control
        - content-transfer-encoding
        - x-accept-content-transfer-encoding
        - x-accept-response-streaming
        - x-user-agent
        - x-grpc-web
        maxAge: "1h"

When Chrome browser request for:

1. OPTIONS /restricted/path/A - returns 200 along with headers like Access-Control-Allow-Origin
2. POST /restricted/path/A - returns 403 with no other headers

What do you think I should do?

来源：https://stackoverflow.com/questions/63313148/istio-1-6-authorizationpolicy-does-not-have-proper-response-code-if-coming-from