Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: allow cross-origin requests between users' own apps #7688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jun 7, 2023
Merged

feat: allow cross-origin requests between users' own apps #7688

merged 7 commits into from
Jun 7, 2023

Conversation

code-asher
Copy link
Member

Closes #5706

@code-asher code-asher changed the title Allow cross-origin requests between users' own apps feat: Allow cross-origin requests between users' own apps May 25, 2023
@code-asher
Copy link
Member Author

code-asher commented May 25, 2023
edited
Loading

Originally I also overwrote CORS-related headers from the application (if it set any) but I ended up removing that because:

a) Currently users can already set their own headers (aside from OPTIONS requests) so this would be adding a new restriction I am not yet sure we want.
b) Not sure if allowing that has any security downsides. Nothing I can think of, at least. Nothing that uniquely affects cross-origin requests I should say.

@code-asher code-asher requested a review from Emyrk May 25, 2023 23:29
@code-asher code-asher marked this pull request as ready for review May 30, 2023 15:26
@code-asher code-asher changed the title feat: Allow cross-origin requests between users' own apps feat: allow cross-origin requests between users' own apps May 31, 2023
Emyrk
Emyrk reviewed Jun 1, 2023
View reviewed changes
@Emyrk
Copy link
Member

Emyrk commented Jun 1, 2023

Because we issue auth cookies based on each subdomain, I think we are going to get 403 forbidden on these CORs requests unless the user authenticated to the other domain first.

But we can handle that later, just going to crop up quick 😢

@code-asher
Copy link
Member Author

Because we issue auth cookies based on each subdomain, I think we are going to get 403 forbidden on these CORs requests unless the user authenticated to the other domain first.

Ahh good point, tested to confirm this is indeed a problem, the requests get redirected to auth.

But we can handle that later, just going to crop up quick

Yeah I will merge this in for now, I have no idea how we are going to solve it though. Maybe we can at least return an error on cross-origin requests that says "you have to go authenticate first". Or if we can somehow authenticate without the redirection.

@code-asher
Recover accidentally removed newline
a0f2eb8 
I think it was lost when I was resolving a conflict here.
@code-asher code-asher merged commit f0c5201 into main Jun 7, 2023
@code-asher code-asher deleted the asher/cors branch June 7, 2023 19:08
@github-actions github-actions bot locked and limited conversation to collaborators Jun 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Emyrk Emyrk Emyrk approved these changes

@kylecarbs kylecarbs kylecarbs left review comments

Assignees

@code-asher code-asher

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CORS is not permitted between multiple subdomain workspace apps
3 participants
@code-asher @Emyrk @kylecarbs