New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add validation to allowed-origins to include path #265
Conversation
Hi, First thanks for your contribution! A couple of considerations for this PR:
|
Test contributions
@Dynom thanks for your help! I have merged your tests into this PR and they are all passing. Is there anything else I can do to help get this PR merged? I also added some documentation to README to help explain how this logic works. |
I’m not sure if this is automated or not but after this PR gets merged, would it be possible to push a new Docker image to Docker registry? |
I don't intend to sound rude or impatient as I know that this is an open source project and the maintainers likely have day jobs. That said, would it be possible to estimate when this change might be able to land? I'm trying to plan a release around this feature. |
New release |
@nicksrandall no offence taken. I fully understand the frustration, but it's exactly as you said it. The new Docker image is also available. Enjoy the release and thanks again for your contribution! |
The use-case here is that we store our assets in AWS S3 and we'd like to restrict access to a certain bucket.
So, instead of starting service using
-allowed-origins https://s3.amazonaws.com
flag which isn't very useful in our case because this would allow anybody to use our service with any asset on s3, we could instead extend the allowed origins to something like-allowed-origins https://s3.amazonaws.com/some_bucket/
.Then, if a request comes in to fetch image at url
https://s3.amazonaws.com/some_bucket/path/image.jpg
, we would complete this request because it contains the host and basepath listed in allowed origins.If the request had asked for
https://s3.amazonaws.com/different_bucket/path/image.jpg
orhttps://s3.different-origin.com/some_bucket/path/image.jpg
the request would fail because host and basepath did not match an allowed origin.