-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SUP-27] cors config updates #8633
base: main
Are you sure you want to change the base?
Conversation
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Summary
- Updated CORS Configuration: Separated CORS settings for public and private routes to enhance security and prevent credentials from being allowed in public graph requests.
- Scoped CORS Configurations: Moved CORS configurations within the public and private routers only, excluding routes like
/health
and/otel
.
Notes
- Security Enhancement: Ensures future-proofing by not allowing credentials for public graph requests.
- Code Reuse Opportunity: Consider centralizing CORS configuration logic to avoid duplication and ensure consistency across different environments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know you had an open question out for @Vadman97, but this looks good to me!
if origin == frontendURL || origin == "https://app.highlight.run" || origin == "https://app.highlight.io" || origin == landingStagingURL || isRenderPreviewEnv || isAWSEnv || isReflamePreview { | ||
return true | ||
} | ||
} else if runtimeParsed == util.PublicGraph || runtimeParsed == util.All { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should probably have separate public/private configs for hobby deploys too rather than using a single one for the All runtime?
yeah, we can detect the hobby deploy via the util.IsInDocker()
check, split out the configs and then use the REACT_APP_PRIVATE_GRAPH_URI
and REACT_APP_PUBLIC_GRAPH_URI
values for the respective origin checks. with the normal hobby deploy tho, the private and public graphs run together, but assuming the runtime flag is used we should use the corresponding origin
Summary
/health
,/otel
) and we should probably have separate public/private configs for hobby deploys too rather than using a single one for theAll
runtime - @Vadman97 can you confirm this last bullet point?How did you test this change?
Are there any deployment considerations?
Does this work require review from our design team?