Skip to content

SITES-8366 - [wknd.site] Update CORS configuration to support multiple origins #382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

SITES-8366 - [wknd.site] Update CORS configuration to support multiple origins #382

wants to merge 1 commit into from
+60 −48

Conversation

raducotescu
Copy link
Member

Description

This PR moves all publish-tier CORS configuration in the dispatcher, since that's the only layer that can correctly apply Vary based caching.

How Has This Been Tested?

The dispatcher change configuration has been tested using the Dispatcher SDK.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • I have signed the Adobe Open Source CLA.
  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed (there are no specific dispatcher/CORS tests)

@raducotescu
SITES-8366 - [wknd.site] Update CORS configuration to support multipl…
b7de89f 
…e origins

* implemented CORS rules at the dispatcher level
davidjgonzalez
davidjgonzalez approved these changes Oct 11, 2022
View reviewed changes
Copy link
Contributor

@davidjgonzalez davidjgonzalez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Radu!

Few quick Qs.

  1. How does this impact local development (AEM SDK/6.5) .. i assume this requires local AEM Headless development to run the Dispatch Tools?
    • Could we leave in the CORS OSGi configuration for local development on Publish? Is there a clean way to do that?
  2. Historically, in the OSGI configuration, we'd set allow URL path patterns for a CORS config; it appears that the dispatcher approach allows a known origin/pattern to CORS any path -- is this is security issue? We configured the OSGi config on principle of least privilege. Just want to very that this is not important (or that im missing the path restrictions somewhere)

@raducotescu
Copy link
Member Author

For 1. I guess we could add a publish config that's only active on development environments - we should probably add a new dev runmode for that.

For 2. we could wrap these configs inside a Location or LocationMatch directive.

@davidjgonzalez
Copy link
Contributor

@raducotescu

  1. How would we distinguish between AEM SDK dev and AEM as a Cloud service dev? Would a OSGi config on AEM as a Cloud Service Dev be problematic? Or will the httpd config overrwrite any headers that might generate?
  2. IMO, Less is more. If its OK not to add this extra concern, that's simpler from a user POV. If we need to add it from a security POV, then i guess we have to. I was just raising the question to make sure we didn't miss something; ill leave it to yall to determine if its best practice/required.

@davidjgonzalez davidjgonzalez marked this pull request as draft October 17, 2022 14:34
@davidjgonzalez
Copy link
Contributor

Converting to Draft as this depends on AEM CS release (which contains updates to Dispatcher).

jasghar
jasghar reviewed Jan 17, 2023
View reviewed changes
dispatcher/src/conf.d/rewrites/rewrite.rules
# CORS - send 204 for CORS requests which are not trusted
RewriteCond expr "reqenv('CORSProcessing') == 'true' && reqenv('CORSTrusted') == 'false'"
RewriteRule "^(.*)" - [R=204,L]

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This rewrite rule will not work in its current form/position, as conf.d/rewrites/default_rewrite.rules contains rewrite at as a last rule with flag [PT], and that implicitly implies L flag. See PT section on https://httpd.apache.org/docs/2.4/rewrite/flags.html

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Jabran, have you tested the PR?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, tested this using a local author-publish-dispatcher setup.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davidjgonzalez davidjgonzalez davidjgonzalez approved these changes

@keepthebyte keepthebyte Awaiting requested review from keepthebyte

@vladbailescu vladbailescu Awaiting requested review from vladbailescu

@godanny86 godanny86 Awaiting requested review from godanny86

+1 more reviewer

@jasghar jasghar jasghar left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@raducotescu @davidjgonzalez @jasghar