Skip to content

feat(hybrid-cloud): Adjust CORS for customer domains #36639

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dashed merged 1 commit into from
Jul 13, 2022
Merged

feat(hybrid-cloud): Adjust CORS for customer domains #36639

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion src/sentry/api/base.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,8 @@ def allow_cors_options_wrapper(self, request: Request, *args, **kwargs):
response["Access-Control-Allow-Methods"] = allow
response["Access-Control-Allow-Headers"] = (
"X-Sentry-Auth, X-Requested-With, Origin, Accept, "
"Content-Type, Authentication, Authorization, Content-Encoding"
"Content-Type, Authentication, Authorization, Content-Encoding, "
"sentry-trace, baggage"
)
response["Access-Control-Expose-Headers"] = "X-Sentry-Error, Retry-After"

Expand Down
2 changes: 1 addition & 1 deletion static/app/api.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -448,7 +448,7 @@ export class Client {
method,
body,
headers,
credentials: 'same-origin',
credentials: 'include',
Copy link
Copy Markdown
Contributor

@AbhiPrasad AbhiPrasad Jul 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there any risks doing this?

Copy link
Copy Markdown
Member

@markstory markstory Jul 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tells browsers to include credentials in both same- and cross-origin requests, and always use any credentials sent back in responses.

I think this is low risk as cookies are still domain matched. We could leak cookies to other sentry.io domains but that is currently possible with browser navigation.

signal: aborter?.signal,
});

Expand Down
14 changes: 14 additions & 0 deletions tests/sentry/api/test_base.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,13 @@ def test_basic_cors(self):
assert response.status_code == 200, response.content

assert response["Access-Control-Allow-Origin"] == "http://example.com"
assert response["Access-Control-Allow-Headers"] == (
"X-Sentry-Auth, X-Requested-With, Origin, Accept, "
"Content-Type, Authentication, Authorization, Content-Encoding, "
"sentry-trace, baggage"
)
assert response["Access-Control-Expose-Headers"] == "X-Sentry-Error, Retry-After"
assert response["Access-Control-Allow-Methods"] == "GET, HEAD, OPTIONS"

def test_invalid_cors_without_auth(self):
request = self.make_request(method="GET")
Expand Down Expand Up @@ -86,6 +93,13 @@ def test_cors_not_configured_is_valid(self):

assert response.status_code == 200, response.content
assert response["Access-Control-Allow-Origin"] == "http://example.com"
assert response["Access-Control-Allow-Headers"] == (
"X-Sentry-Auth, X-Requested-With, Origin, Accept, "
"Content-Type, Authentication, Authorization, Content-Encoding, "
"sentry-trace, baggage"
)
assert response["Access-Control-Expose-Headers"] == "X-Sentry-Error, Retry-After"
assert response["Access-Control-Allow-Methods"] == "GET, HEAD, OPTIONS"


class PaginateTest(APITestCase):
Expand Down