Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

We need more CORS configurability #677

Open
atruskie opened this issue May 13, 2024 · 0 comments
Open

We need more CORS configurability #677

atruskie opened this issue May 13, 2024 · 0 comments
Labels
API enhancement security Pull requests that address a security vulnerability triage:medium

Comments

@atruskie
Copy link
Member

As the workbenches can be public APIs, we need random website to be able to access different API end points from a range of websites that we can't predetermine.

Our current CORS configurability is not good enough:

baw-server/config/initializers/cors.rb

Line 8 in 40eb800

origins Settings.host.cors_origins
. We can only allow whole origins.

So the plan is:

  • Change CORS responses so that media GET requests allow cross origin
  • Keep the CORS of /security routes restricted to the workbench client
  • Maybe: Change to http only auth cookeis and set Access-Control-Allow-Credentials

Basically, allow access for any public non-mutative routes/actions, but restrict security routes and any mutative actions for trusted origins.
@atruskie atruskie added enhancement triage:medium API security Pull requests that address a security vulnerability labels May 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
API enhancement security Pull requests that address a security vulnerability triage:medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@atruskie