Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to configure "allowed domains" for CORS on DAV #40537

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Allow to configure "allowed domains" for CORS on DAV #40537

wants to merge 6 commits into from

Commits on Sep 20, 2023

  1. Enabled CORS on webdav and ocs 

    * Exclude DAV CORS handling when no Origin specified
  This will exclude non-browser clients from CORS handling.
  Fixes some clients like davfs which break when CORS is enabled.
* fix: CORS on WebDAV is not working
  WebDAV is not working at all when used by on browser Javascript because the CORS headers
  are only present in the OPTION request, but not in the subsequent WebDAV methods.
  * This behavior is caused by a erroneous json_decode call while retriving the user's domains whitelist.
    It return an object, so the is_array always fails and no header are sent.
* Add Access-Control-Expose-Headers - to allow clients to access certain headers
* Adding many headers as allowed headers + add capability to read additional allowed headers from config.php
    @noveens @susnux
    noveens authored and susnux committed Sep 20, 2023
    Configuration menu
    Copy the full SHA
    c1fa640 View commit details
    Browse the repository at this point in the history

  2. Removed beforeController Logic 

    I removed the beforeController logic here due to the change of handling CORS since PR 28457[1]

According to previous implementation, CORS was only allowed with methods that had @publicpage notation for preventing CSRF attacks.
But in the latest PR by me, the current implementations is as follows:

    * maintain a white-list of domains for whom CORS is enabled
    * This list can be viewed and edited under settings -> personal -> security

This implementation removes the need for `@PublicPage`[2].

[1] owncloud/core#28457
[2] owncloud/core#28864
    @noveens @susnux
    noveens authored and susnux committed Sep 20, 2023
    Configuration menu
    Copy the full SHA
    0cb950e View commit details
    Browse the repository at this point in the history

  3. fix: Make CORS handling admin configurable and fix tests 

    Also make sure to only return allowed methods for DAV responses

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
    @susnux
    susnux committed Sep 20, 2023
    Configuration menu
    Copy the full SHA
    e608e5d View commit details
    Browse the repository at this point in the history

  4. feat: Implement settings frontend for allowed CORS domains 

    Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
    @susnux
    susnux committed Sep 20, 2023
    Configuration menu
    Copy the full SHA
    33ae58e View commit details
    Browse the repository at this point in the history

  5. chore: Compile assets 

    Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
    @susnux
    susnux committed Sep 20, 2023
    Configuration menu
    Copy the full SHA
    bcfaa85 View commit details
    Browse the repository at this point in the history

  6. fix: Resolve some psalm issues 

    Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
    @susnux
    susnux committed Sep 20, 2023
    Configuration menu
    Copy the full SHA
    d00b9cd View commit details
    Browse the repository at this point in the history