cors: add a flag for cors #5671
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- added a flag to the rest server that if you are fine with accepting all cors you can. let the user decide Signed-off-by: Marko Baricevic <[email protected]>
tac0turtle
added
REST
T: Dev UX
tac0turtle
requested review from
alessio,
alexanderbez,
fedekunze and
jackzampolin
as code owners
|
First off VERY glad to see CORS coming back as an option. This greatly improves the developer experience of working with browser clients that interact with the REST endpoint. This has traditionally been a hot topic because of the security considerations of allowing users to expose a REST endpoint unfettered. While I think it should be up to the developer using the SDK to make those decisions and precautions themselves, I wonder whether this feature should be considered as intended for production or testing use. If just for testing then I think making it accept all CORS as it currently does makes sense, but maybe we should rename it something like If we are happy with the idea that this might be a production setting then maybe we should offer the flag to equal a string of comma separated values that can be parsed as follows: CORS(AllowedOrigins([]string{}))(usage seen here) This would allow a user to pass "*" to accept CORS from all origins or a comma separated list of approved origins. |
alessio
reviewed
Feb 19, 2020
client/lcd/root.go
Outdated
| ) | ||
|
|
||
| return err | ||
| }, | ||
| } | ||
|
|
||
| cmd.Flags().Bool(FlagAllowCORS, false, "Allows CORS requests from all domains") |
There was a problem hiding this comment.
This should be added in client/lcd.RegisterRestServerFlags()
alessio
previously requested changes
Feb 19, 2020
There was a problem hiding this comment.
I'm blocking this because I believe this requires discussion before we press ahead.
I acknowledge that this would make developers experience easier. I agree that especially while testing an app locally it's convenient to disable security features. Though IMHO it's our responsibility to make it as difficult as possible for developers to make dumb mistakes. I have few ideas on how to implement this without compromising on security (e.g. --cors flag may take effect on condition that a certain compilation flag is passed at build time + confirmation prompt when used). Let's discuss options, shall we? :)
alessio
reviewed
Feb 19, 2020
Co-Authored-By: Alessio Treglia <[email protected]>
Codecov Report
@@ Coverage Diff @@
## master #5671 +/- ##
=========================================
- Coverage 37.76% 36.96% -0.8%
=========================================
Files 328 328
Lines 30267 30915 +648
=========================================
Hits 11429 11429
- Misses 17645 18293 +648
Partials 1193 1193
|
alexanderbez
approved these changes
Feb 21, 2020
| @@ -68,6 +69,11 @@ func (rs *RestServer) Start(listenAddr string, maxOpen int, readTimeout, writeTi | |||
| ), | |||
| ) | |||
|
|
|||
| var h http.Handler = rs.Mux | |||
There was a problem hiding this comment.
nit:
Suggested change
| var h http.Handler = rs.Mux | |
| h := rs.Mux |
alexanderbez
dismissed
alessio’s stale review
All changes requested have been addressed.
|
That was fast. Nice one, @marbar3778 |
This was referenced Feb 28, 2020
Closed
Closed
4 tasks
ethanfrey
pushed a commit
to CosmWasm/cosmos-sdk
that referenced
this pull request
Jul 27, 2020
alessio
pushed a commit
that referenced
this pull request
Jul 27, 2020
This adds the --unsafe-cors flag functionality. From: #5671 Co-authored-by: Marko <[email protected]>
Raumo0
pushed a commit
to mapofzones/cosmos-sdk
that referenced
this pull request
Feb 13, 2022
* v0.38.4-RC1 * add release date * client/keys/parse: honor config changes (cosmos#6340) `keys parse` uses the global configuration before before client applications have had a chance to apply their settings. This change adds a `GetSealedConfig()` helper that waits for the config to be sealed before returning it. Fixes: cosmos#5091 Origin: cosmos@4e328d7 Author: Adam Bozanich <[email protected]> Reviewed-by: Alessio Treglia <[email protected]> * Merge PR cosmos#6505: Backport v0.38.5: IAVL Bump (RC) & Pruning Refactor * Fix cl * Fix cl * Merge PR cosmos#6551: Ethanfrey/fix trace flag * Merge PR cosmos#6552: Add sender info to bank transfer event * Merge PR cosmos#6581: v0.38.5-RC1 * Add release date * deps: bump IAVL to 0.14 * cl++ * Merge PR cosmos#6618: backport 0.39.0 (launchpad): cherry pick cosmos#5839 * launchpad: bump tendermint to v0.33.6 (cosmos#6673) * launchpad: bump tendermint to v0.33.6 * cha-cha-cha * fix types.ChainAnteDecorators() panic (cosmos#5742) (cosmos#6669) ChainAnteDecorators() panics when no arguments are supplied. This change its behaviour and the function now returns a nil AnteHandler in case no AnteDecorator instances are supplied. Closes: cosmos#5741 * launchpad: register MsgFundCommunityPool to distribution codec (cosmos#6675) Closes: cosmos#6210 * client: backport IBC additions (cosmos#6682) * launchpad: backport cliCtx.QueryABCI * add prove flag * Save account for multi sending (cosmos#6674) Include changes from PR cosmos#6283 Co-authored-by: Federico Kunze <[email protected]> Co-authored-by: Alessio Treglia <[email protected]> * baseapp: fix sender events accumulation (cosmos#6683) closes: cosmos#6306 original PR: cosmos#6307 * run go mod tidy * add changelog line re: issue that was not included in v0.38.5 * Fix changelog * add release notes * update CODEOWNERS as per STABLE_RELEASES.md Launchpad's Stable Release Managers team's current composition as approved by @okwme (ICF): * @alessio * @clevinson * @ethanfrey * Add milestone's URL * Revert "update CODEOWNERS as per STABLE_RELEASES.md" This reverts commit f384592. * fix typo * add example patch * launchpad: backport account sequence stuck (cosmos#6721) Launchpad fix for cosmos#6287 * update release notes * make explicit that the regression is fixed in 0.39 * update release notes * Update CHANGELOG.md * update release notes @ethanfrey * remove pruning info from changelog They have been moved to NEWS.md * Update NEWS.md Co-authored-by: Alexander Bezobchuk <[email protected]> * Mege PR cosmos#6749: auth: remove custom JSON marshaling * mv NEWS.md -> RELEASE_NOTES.md Self-explanatory naming convention. * Update changelog * add reference to gaia software upgrade * x/staking: add call to iterator Close() method (cosmos#6794) Original pull request: cosmos#6791 * [ci] fix linter (cosmos#6795) * Merge PR cosmos#6842: Remove custom acc JSON marshl * Backport cosmos#5671: Add a Flag for CORS (cosmos#6853) This adds the --unsafe-cors flag functionality. From: cosmos#5671 Co-authored-by: Marko <[email protected]> * Merge PR cosmos#6855: Allow passing through Content-Type (needed for POST) * Merge PR cosmos#6861: Revert "Backport 0.39.1: Remove Custom JSON Marshaling for Accounts" * Merge PR cosmos#6869: Backport 0.39.1: Launchpad Migration cosmos#6829 * Update changelog and release notes * Update x/auth/legacy/v0_39/types.go * Update x/auth/legacy/v0_38/types.go * Merge PR cosmos#6938: Fix v0.39 migrate test * Merge PR cosmos#6937: Bump Tendermint to v0.33.7 * Update x/auth/legacy/v0_39/types.go Co-authored-by: Alexander Bezobchuk <[email protected]> * update RELEASE_NOTES.md * update changelog * test case with real genesis data (cosmos#6995) * incorporate Ethan Frey's suggestion * make format * Update go mod * Remove some ci files * Modify data for test Co-authored-by: Alexander Bezobchuk <[email protected]> Co-authored-by: Aleksandr Bezobchuk <[email protected]> Co-authored-by: Alessio Treglia <[email protected]> Co-authored-by: Ethan Frey <[email protected]> Co-authored-by: Federico Kunze <[email protected]> Co-authored-by: Jonathan Gimeno <[email protected]> Co-authored-by: Marko <[email protected]>
Raumo0
pushed a commit
to mapofzones/cosmos-sdk
that referenced
this pull request
Feb 13, 2022
* v0.38.4-RC1 * add release date * client/keys/parse: honor config changes (cosmos#6340) `keys parse` uses the global configuration before before client applications have had a chance to apply their settings. This change adds a `GetSealedConfig()` helper that waits for the config to be sealed before returning it. Fixes: cosmos#5091 Origin: cosmos@4e328d7 Author: Adam Bozanich <[email protected]> Reviewed-by: Alessio Treglia <[email protected]> * Merge PR cosmos#6505: Backport v0.38.5: IAVL Bump (RC) & Pruning Refactor * Fix cl * Fix cl * Merge PR cosmos#6551: Ethanfrey/fix trace flag * Merge PR cosmos#6552: Add sender info to bank transfer event * Merge PR cosmos#6581: v0.38.5-RC1 * Add release date * deps: bump IAVL to 0.14 * cl++ * Merge PR cosmos#6618: backport 0.39.0 (launchpad): cherry pick cosmos#5839 * launchpad: bump tendermint to v0.33.6 (cosmos#6673) * launchpad: bump tendermint to v0.33.6 * cha-cha-cha * fix types.ChainAnteDecorators() panic (cosmos#5742) (cosmos#6669) ChainAnteDecorators() panics when no arguments are supplied. This change its behaviour and the function now returns a nil AnteHandler in case no AnteDecorator instances are supplied. Closes: cosmos#5741 * launchpad: register MsgFundCommunityPool to distribution codec (cosmos#6675) Closes: cosmos#6210 * client: backport IBC additions (cosmos#6682) * launchpad: backport cliCtx.QueryABCI * add prove flag * Save account for multi sending (cosmos#6674) Include changes from PR cosmos#6283 Co-authored-by: Federico Kunze <[email protected]> Co-authored-by: Alessio Treglia <[email protected]> * baseapp: fix sender events accumulation (cosmos#6683) closes: cosmos#6306 original PR: cosmos#6307 * run go mod tidy * add changelog line re: issue that was not included in v0.38.5 * Fix changelog * add release notes * update CODEOWNERS as per STABLE_RELEASES.md Launchpad's Stable Release Managers team's current composition as approved by @okwme (ICF): * @alessio * @clevinson * @ethanfrey * Add milestone's URL * Revert "update CODEOWNERS as per STABLE_RELEASES.md" This reverts commit f384592. * fix typo * add example patch * launchpad: backport account sequence stuck (cosmos#6721) Launchpad fix for cosmos#6287 * update release notes * make explicit that the regression is fixed in 0.39 * update release notes * Update CHANGELOG.md * update release notes @ethanfrey * remove pruning info from changelog They have been moved to NEWS.md * Update NEWS.md Co-authored-by: Alexander Bezobchuk <[email protected]> * Mege PR cosmos#6749: auth: remove custom JSON marshaling * mv NEWS.md -> RELEASE_NOTES.md Self-explanatory naming convention. * Update changelog * add reference to gaia software upgrade * x/staking: add call to iterator Close() method (cosmos#6794) Original pull request: cosmos#6791 * [ci] fix linter (cosmos#6795) * Merge PR cosmos#6842: Remove custom acc JSON marshl * Backport cosmos#5671: Add a Flag for CORS (cosmos#6853) This adds the --unsafe-cors flag functionality. From: cosmos#5671 Co-authored-by: Marko <[email protected]> * Merge PR cosmos#6855: Allow passing through Content-Type (needed for POST) * Merge PR cosmos#6861: Revert "Backport 0.39.1: Remove Custom JSON Marshaling for Accounts" * Merge PR cosmos#6869: Backport 0.39.1: Launchpad Migration cosmos#6829 * Update changelog and release notes * Update x/auth/legacy/v0_39/types.go * Update x/auth/legacy/v0_38/types.go * Merge PR cosmos#6938: Fix v0.39 migrate test * Merge PR cosmos#6937: Bump Tendermint to v0.33.7 * Update x/auth/legacy/v0_39/types.go Co-authored-by: Alexander Bezobchuk <[email protected]> * update RELEASE_NOTES.md * update changelog * test case with real genesis data (cosmos#6995) * incorporate Ethan Frey's suggestion * make format * Update go mod * Remove some ci files * Modify data for test * API server * Port telemetry * Initial metrics * Fix measure * Merge PR cosmos#6761: telemetry: use UTC() in wrappers * Remove file * Make format * Revert changes to client * Revert changes to client/lcd/root * Revert renames in client * Fix int64 panics * Revert "Revert renames in client" This reverts commit cc0a95d14c3212fa1c49f93789dd94e167427a57. * Revert "Revert changes to client/lcd/root" This reverts commit e3bb87bbacae13676c3a1f86f8d441d576b1f2ba. * Revert "Revert changes to client" This reverts commit 332cacba3242e503bcc4bffc3f6b25c1906efca4. Co-authored-by: Alexander Bezobchuk <[email protected]> Co-authored-by: Aleksandr Bezobchuk <[email protected]> Co-authored-by: Alessio Treglia <[email protected]> Co-authored-by: Ethan Frey <[email protected]> Co-authored-by: Federico Kunze <[email protected]> Co-authored-by: Jonathan Gimeno <[email protected]> Co-authored-by: Marko <[email protected]> Co-authored-by: Adam Bozanich <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
@ethanfrey
Signed-off-by: Marko Baricevic [email protected]
Closes: #XXX
Description
For contributor use:
docs/) or specification (x/<module>/spec/)godoccomments.Unreleasedsection inCHANGELOG.mdFiles changedin the Github PR explorerFor admin use:
WIP,R4R,docs, etc)