-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow all /api/v2/ CORS if the Domain is known #4880
Conversation
# Don't do domain checking for APIv2 when the Domain is known | ||
if request.path_info.startswith('/api/v2/'): | ||
domain = Domain.objects.filter(domain__icontains=host) | ||
if domain.exists(): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to allow to access the API no matter which domain the request comes from?
Codecov Report
@@ Coverage Diff @@
## master #4880 +/- ##
==========================================
- Coverage 76.64% 76.63% -0.02%
==========================================
Files 158 158
Lines 10054 10062 +8
Branches 1271 1271
==========================================
+ Hits 7706 7711 +5
- Misses 2007 2011 +4
+ Partials 341 340 -1
|
# Don't do domain checking for APIv2 when the Domain is known | ||
if request.path_info.startswith('/api/v2/'): | ||
domain = Domain.objects.filter(domain__icontains=host) | ||
if domain.exists(): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm -0 on allowing all API calls to all projects from all Domain's. We should still be mapping the domain -> project, so I think we can just add /api/v2/
to WHITELIST_URLS
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do you connect the Domain -> Project
for this case? When calling /api/v2
we don't pass the project=
query string.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One thing we can do here is just allow safe methods for /api/v2
endpoints: GET and HEAD.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Works for me. We should include more thinking and research around CORS when we do https://github.com/rtfd/readthedocs-ops/pull/441 and document our approach.
Currently, if any documentation project tries to use our APIv2 from a custom domain by doing an AJAX request, it will be blocked because of CORS.
This PR adds a new checking for this by allowing CORS on all the URLs that start with
/api/v2/
and the HTTP_ORIGIN header is a known Domain in our platform.Raised at humitos/sphinx-version-warning#23