Cors origin allowed list check

[aleixq]

I think is useful to be able to operate with data from Nextcloud from other websites cms such as moodle, drupal, wp's while using different domains. The app webappassword lets use the DAV resources, it uses the sabre pluggable system to modify the response checking against a list of allowed domains. But I cannot find a way to use share api from different domain as files_sharing app is not providing neither the necessary preflight OPTIONS route, nor the @CORS annotation in the relevant controller methods. Also using it will allow every domain to gain access, so I think it may open security breach in sites.

workaround for parts of

It's discussed also in digital-blueprint/webapppassword#1 , but I cannot find a way to listen for kernel-response events like https://symfony.com/doc/current/reference/events.html#kernel-response (as using symfony events is discouraged). So the workaround I end up using to be able to make requests from other domain is extending the shareapi controller to modify the response( https://gitlab.com/communia/files_sharing_webapppassword information about it is in app issue tracker: ). Of course, feedback about the ugliness of this workaround is welcome.

proposal

Maybe nextcloud could provide it natively, modifying the existing behavior in https://github.com/nextcloud/server/blob/master/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php#L116 to use a similar logic as I am using in the checkOrigin trait (https://gitlab.com/communia/files_sharing_webapppassword/-/blob/main/lib/Controller/AccessControl.php#L25 ) .

One thing that will remain is how to define somewhere the automatic adding of preflighted OPTIONS route if cors is used...

[aleixq]

Adding an application to be used as frontend to set the allowed origins, it's in separated repo at: Communia/cors_origin_filter_settings . (also reported in PR)

[szaimen]

Hi, did you know about this app?
https://apps.nextcloud.com/apps/webapppassword

[aleixq]

Hi, yes, but it has some limitations, as it only covers webdav and with a commit I have recently contributed it also adds share api support.
But as I said it has some limitations, it needs to reimplement every controller methods of the desired endpoint, so we(me and main developer) are agree in digital-blueprint/webapppassword#61 (comment) that a nextcloud native way of offfering this will be better.
That's why I work on this proposal

[aleixq]

Just note also that PR #37896 together with https://github.com/Communia/cors_origin_filter_settings would also make easier an enhanced filepicker such as one asked for in #2028 and #3131 , or the implemented one in https://github.com/julien-nc/nextcloud-webdav-filepicker that needs curl to workaround the cors problem (see more in https://github.com/julien-nc/nextcloud-webdav-filepicker#create-nextcloud-share-links )