Refactor CORS handler (#28587) #28611
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The CORS code has been unmaintained for long time, and the behavior is not correct. This PR tries to improve it. The key point is written as comment in code. And add more tests. Fix go-gitea#28515 Fix go-gitea#27642 Fix go-gitea#17098 # Conflicts: # tests/integration/cors_test.go
GiteaBot
added
the
lgtm/need 2
pull-request-size
bot
added
the
size/L
github-actions
bot
added
modifies/api
lunny
approved these changes
Dec 25, 2023
GiteaBot
added
lgtm/need 1
delvh
approved these changes
Dec 25, 2023
Comment on lines
-1159
to
-1166
| ;; scheme of allowed requests | ||
| ;SCHEME = http | ||
| ;; | ||
| ;; list of requesting domains that are allowed | ||
| ;; list of requesting origins that are allowed, eg: "https://*.example.com" | ||
| ;ALLOW_DOMAIN = * | ||
| ;; | ||
| ;; allow subdomains of headers listed above to request | ||
| ;ALLOW_SUBDOMAIN = false |
There was a problem hiding this comment.
I'm not really a fan of backporting config "changes" as that's unexpected in a minor version.
There was a problem hiding this comment.
Nevertheless, I think we should also add one of these config <x> is no longer used warnings for these two (at best in main, and then backport to 1.21 as well).
There was a problem hiding this comment.
I'm not really a fan of backporting config "changes" as that's unexpected in a minor version.
It's not "changes", but it's "bug fix", because these options have been no-op for long time, keeping them would only mislead users but don't bring any real benefit.
Nevertheless, I think we should also add one of these
config <x> is no longer usedwarnings for these two (at best in main, and then backport to 1.21 as well).
I think it should be handled by the config framework automatically in the future, to help users to find their low-level mistakes. At this moment, I don't like adding them one by one manually.
GiteaBot
added
lgtm/done
nrdufour
added a commit
to nrdufour/home-ops
that referenced
this pull request
Jan 17, 2024
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [docker.io/gitea/gitea](https://github.com/go-gitea/gitea) | patch | `1.21.3` -> `1.21.4` | --- ### Release Notes <details> <summary>go-gitea/gitea (docker.io/gitea/gitea)</summary> ### [`v1.21.4`](https://github.com/go-gitea/gitea/releases/tag/v1.21.4) [Compare Source](go-gitea/gitea@v1.21.3...v1.21.4) - SECURITY - Update github.com/cloudflare/circl ([#​28789](go-gitea/gitea#28789)) ([#​28790](go-gitea/gitea#28790)) - Require token for GET subscription endpoint ([#​28765](go-gitea/gitea#28765)) ([#​28768](go-gitea/gitea#28768)) - BUGFIXES - Use refname:strip-2 instead of refname:short when syncing tags ([#​28797](go-gitea/gitea#28797)) ([#​28811](go-gitea/gitea#28811)) - Fix links in issue card ([#​28806](go-gitea/gitea#28806)) ([#​28807](go-gitea/gitea#28807)) - Fix nil pointer panic when exec some gitea cli command ([#​28791](go-gitea/gitea#28791)) ([#​28795](go-gitea/gitea#28795)) - Require token for GET subscription endpoint ([#​28765](go-gitea/gitea#28765)) ([#​28778](go-gitea/gitea#28778)) - Fix button size in "attached header right" ([#​28770](go-gitea/gitea#28770)) ([#​28774](go-gitea/gitea#28774)) - Fix `convert.ToTeams` on empty input ([#​28426](go-gitea/gitea#28426)) ([#​28767](go-gitea/gitea#28767)) - Hide code related setting options in repository when code unit is disabled ([#​28631](go-gitea/gitea#28631)) ([#​28749](go-gitea/gitea#28749)) - Fix incorrect URL for "Reference in New Issue" ([#​28716](go-gitea/gitea#28716)) ([#​28723](go-gitea/gitea#28723)) - Fix panic when parsing empty pgsql host ([#​28708](go-gitea/gitea#28708)) ([#​28709](go-gitea/gitea#28709)) - Upgrade xorm to new version which supported update join for all supported databases ([#​28590](go-gitea/gitea#28590)) ([#​28668](go-gitea/gitea#28668)) - Fix alpine package files are not rebuilt ([#​28638](go-gitea/gitea#28638)) ([#​28665](go-gitea/gitea#28665)) - Avoid cycle-redirecting user/login page ([#​28636](go-gitea/gitea#28636)) ([#​28658](go-gitea/gitea#28658)) - Fix empty ref for cron workflow runs ([#​28640](go-gitea/gitea#28640)) ([#​28647](go-gitea/gitea#28647)) - Remove unnecessary syncbranchToDB with tests ([#​28624](go-gitea/gitea#28624)) ([#​28629](go-gitea/gitea#28629)) - Use known issue IID to generate new PR index number when migrating from GitLab ([#​28616](go-gitea/gitea#28616)) ([#​28618](go-gitea/gitea#28618)) - Fix flex container width ([#​28603](go-gitea/gitea#28603)) ([#​28605](go-gitea/gitea#28605)) - Fix the scroll behavior for emoji/mention list ([#​28597](go-gitea/gitea#28597)) ([#​28601](go-gitea/gitea#28601)) - Fix wrong due date rendering in issue list page ([#​28588](go-gitea/gitea#28588)) ([#​28591](go-gitea/gitea#28591)) - Fix `status_check_contexts` matching bug ([#​28582](go-gitea/gitea#28582)) ([#​28589](go-gitea/gitea#28589)) - Fix 500 error of searching commits ([#​28576](go-gitea/gitea#28576)) ([#​28579](go-gitea/gitea#28579)) - Use information from previous blame parts ([#​28572](go-gitea/gitea#28572)) ([#​28577](go-gitea/gitea#28577)) - Update mermaid for 1.21 ([#​28571](go-gitea/gitea#28571)) - Fix 405 method not allowed CORS / OIDC ([#​28583](go-gitea/gitea#28583)) ([#​28586](go-gitea/gitea#28586)) ([#​28587](go-gitea/gitea#28587)) ([#​28611](go-gitea/gitea#28611)) - Fix `GetCommitStatuses` ([#​28787](go-gitea/gitea#28787)) ([#​28804](go-gitea/gitea#28804)) - Forbid removing the last admin user ([#​28337](go-gitea/gitea#28337)) ([#​28793](go-gitea/gitea#28793)) - Fix schedule tasks bugs ([#​28691](go-gitea/gitea#28691)) ([#​28780](go-gitea/gitea#28780)) - Fix issue dependencies ([#​27736](go-gitea/gitea#27736)) ([#​28776](go-gitea/gitea#28776)) - Fix system webhooks API bug ([#​28531](go-gitea/gitea#28531)) ([#​28666](go-gitea/gitea#28666)) - Fix when private user following user, private user will not be counted in his own view ([#​28037](go-gitea/gitea#28037)) ([#​28792](go-gitea/gitea#28792)) - Render code block in activity tab ([#​28816](go-gitea/gitea#28816)) ([#​28818](go-gitea/gitea#28818)) - ENHANCEMENTS - Rework markup link rendering ([#​26745](go-gitea/gitea#26745)) ([#​28803](go-gitea/gitea#28803)) - Modernize merge button ([#​28140](go-gitea/gitea#28140)) ([#​28786](go-gitea/gitea#28786)) - Speed up loading the dashboard on mysql/mariadb ([#​28546](go-gitea/gitea#28546)) ([#​28784](go-gitea/gitea#28784)) - Assign pull request to project during creation ([#​28227](go-gitea/gitea#28227)) ([#​28775](go-gitea/gitea#28775)) - Show description as tooltip instead of title for labels ([#​28754](go-gitea/gitea#28754)) ([#​28766](go-gitea/gitea#28766)) - Make template `DateTime` show proper tooltip ([#​28677](go-gitea/gitea#28677)) ([#​28683](go-gitea/gitea#28683)) - Switch destination directory for apt signing keys ([#​28639](go-gitea/gitea#28639)) ([#​28642](go-gitea/gitea#28642)) - Include heap pprof in diagnosis report to help debugging memory leaks ([#​28596](go-gitea/gitea#28596)) ([#​28599](go-gitea/gitea#28599)) - DOCS - Suggest to use Type=simple for systemd service ([#​28717](go-gitea/gitea#28717)) ([#​28722](go-gitea/gitea#28722)) - Extend description for ARTIFACT_RETENTION_DAYS ([#​28626](go-gitea/gitea#28626)) ([#​28630](go-gitea/gitea#28630)) - MISC - Add -F to commit search to treat keywords as strings ([#​28744](go-gitea/gitea#28744)) ([#​28748](go-gitea/gitea#28748)) - Add download attribute to release attachments ([#​28739](go-gitea/gitea#28739)) ([#​28740](go-gitea/gitea#28740)) - Concatenate error in `checkIfPRContentChanged` ([#​28731](go-gitea/gitea#28731)) ([#​28737](go-gitea/gitea#28737)) - Improve 1.21 document for Database Preparation ([#​28643](go-gitea/gitea#28643)) ([#​28644](go-gitea/gitea#28644)) Instances on **[Gitea Cloud](https://cloud.gitea.com)** will be automatically upgraded to this version during the specified maintenance window. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMzIuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEzMi4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Reviewed-on: https://git.home/nrdufour/home-ops/pulls/316 Co-authored-by: Renovate <[email protected]> Co-committed-by: Renovate <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport #28587, the only conflict is the test file.
The CORS code has been unmaintained for long time, and the behavior is not correct.
This PR tries to improve it. The key point is written as comment in code. And add more tests.
Fix #28515
Fix #27642
Fix #17098