Skip to content

[proxy] Enable CORS for api.<domain> from https://<domain> origin #13743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 13, 2022
Merged

[proxy] Enable CORS for api.<domain> from https://<domain> origin #13743

merged 1 commit into from
Oct 13, 2022

Conversation

easyCZ
Copy link
Member

@easyCZ easyCZ commented Oct 11, 2022
edited
Loading

Description

Extends our CORS plugin configuration to specify AllowedOrigins. This is done because the BaseDomain subdirective does not work (see #13740 for why), and in this case because we're enabling the cors for the sub-domain (api.) but allowing traffic from the root domain, we cannot use the BaseDomain directive anyway.

Related Issue(s)

How to test

Test we get the expected Access-Control-Allow-* headers when Origin is GITPOD_DOMAIN

 curl https://api.mp-proxy-c2a55ca9ff1.preview.gitpod-dev.com/ \
   -H "Origin: https://mp-proxy-c2a55ca9ff1.preview.gitpod-dev.com" \
   -H "Access-Control-Request-Method: POST" \
   -H "Access-Control-Request-Headers: X-Requested-With" \
   -X OPTIONS -i

HTTP/2 204
access-control-allow-credentials: true
access-control-allow-headers: X-Requested-With
access-control-allow-methods: POST
access-control-allow-origin: https://mp-proxy-c2a55ca9ff1.preview.gitpod-dev.com
access-control-max-age: 60
server: Caddy
vary: Origin
vary: Access-Control-Request-Method
vary: Access-Control-Request-Headers
date: Wed, 12 Oct 2022 20:53:59 GMT

Test that no CORS are present when Origin does not match

curl https://api.mp-proxy-c2a55ca9ff1.preview.gitpod-dev.com/ \
   -H "Origin: https://random.website.com" \
   -H "Access-Control-Request-Method: POST" \
   -H "Access-Control-Request-Headers: X-Requested-With" \
   -X OPTIONS -i

HTTP/2 204
server: Caddy
vary: Origin
vary: Access-Control-Request-Method
vary: Access-Control-Request-Headers
date: Wed, 12 Oct 2022 20:55:13 GMT

Release Notes

NONE

Documentation

Werft options:

  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-integration-tests=all
    Valid options are all, workspace, webapp, ide

@werft-gitpod-dev-com
Copy link

started the job as gitpod-build-mp-proxy-cors-allowed-origins-config.1 because the annotations in the pull request description changed
(with .werft/ from main)

@easyCZ easyCZ changed the title [proxy] Use AllowedOrigins instead of BaseDomain for CORS [proxy] Use AllowedOrigins instead of BaseDomain for CORS, enable for api.<domain> Oct 11, 2022
@easyCZ easyCZ mentioned this pull request Oct 11, 2022
Closed
9 tasks
@easyCZ easyCZ force-pushed the mp/proxy-cors-allowed-origins-config branch from f44ef93 to 66c696b Compare October 12, 2022 20:39
@easyCZ easyCZ force-pushed the mp/proxy-cors-allowed-origins-config branch from 66c696b to a62d94b Compare October 12, 2022 20:40
@easyCZ easyCZ changed the title [proxy] Use AllowedOrigins instead of BaseDomain for CORS, enable for api.<domain> [proxy] Enable CORS from https://api.<domain> origin Oct 12, 2022
@easyCZ easyCZ changed the title [proxy] Enable CORS from https://api.<domain> origin [proxy] Enable CORS for https://api.<domain> origin Oct 12, 2022
@easyCZ easyCZ changed the title [proxy] Enable CORS for https://api.<domain> origin [proxy] Enable CORS for api.<domain> from https://<domain> origin Oct 12, 2022
@easyCZ easyCZ marked this pull request as ready for review October 12, 2022 20:56
@easyCZ easyCZ requested a review from a team October 12, 2022 20:56
@github-actions github-actions bot added the team: webapp Issue belongs to the WebApp team label Oct 12, 2022
geropl
geropl reviewed Oct 13, 2022
View reviewed changes
@geropl
Copy link
Member

geropl commented Oct 13, 2022

Trying to come up with a negative test (waiting for preview env)...

@easyCZ
Copy link
Member Author

easyCZ commented Oct 13, 2022

Negative is here:

Test that no CORS are present when Origin does not match

curl https://api.mp-proxy-c2a55ca9ff1.preview.gitpod-dev.com/ \
   -H "Origin: https://random.website.com/" \
   -H "Access-Control-Request-Method: POST" \
   -H "Access-Control-Request-Headers: X-Requested-With" \
   -X OPTIONS -i

HTTP/2 204
server: Caddy
vary: Origin
vary: Access-Control-Request-Method
vary: Access-Control-Request-Headers
date: Wed, 12 Oct 2022 20:55:13 GMT

geropl
geropl approved these changes Oct 13, 2022
View reviewed changes
Copy link
Member

@geropl geropl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM, tested and works ☑️

@roboquat roboquat merged commit e8ed010 into main Oct 13, 2022
@roboquat roboquat deleted the mp/proxy-cors-allowed-origins-config branch October 13, 2022 08:30
@geropl
Copy link
Member

geropl commented Oct 13, 2022

Negative is here:

Jep that one worked, was looking for testing with a previous commit, without any of these changes. but worked as well. 👍

@roboquat roboquat added deployed: webapp Meta team change is running in production deployed Change is completely running in production labels Oct 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geropl geropl geropl approved these changes

Assignees
No one assigned
Labels
deployed: webapp Meta team change is running in production deployed Change is completely running in production release-note-none size/M team: webapp Issue belongs to the WebApp team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@easyCZ @geropl @roboquat