diff --git a/CHANGELOG.md b/CHANGELOG.md index bc470eed73..e841ecc140 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,8 +2,26 @@ Canonical reference for changes, improvements, and bugfixes for Boundary. +## Next + +### Bug Fixes + +* cors: Fix allowing all origins by default + [PR](https://github.com/hashicorp/boundary/pull/1134) + ## 0.2.0 (2021/04/14) +### Known Issues + +* By default, CORS support will allow all origins. This is due to a bug in how + the set of allowed origins was processed, in conjunction with changes to CORS + behavior to automatically include the origin of the Desktop Client. This will + be fixed in 0.2.1. In the meantime, this can be worked around by either + explicitly disabing CORS with `cors_enabled = false` in the `listener` config + block with purpose `api`; or setting an `allowed_origins` field to have values + other than `serve://boundary` (including values that do not map to any real + origin). + ### Deprecations/Changes * The `auth-methods/:authenticate:login` action is deprecated and will be diff --git a/internal/servers/controller/cors_test.go b/internal/servers/controller/cors_test.go index b1c2319178..7110446fdc 100644 --- a/internal/servers/controller/cors_test.go +++ b/internal/servers/controller/cors_test.go @@ -142,6 +142,13 @@ func TestHandler_CORS(t *testing.T) { code: http.StatusOK, listenerNum: 3, }, + { + name: "enabled with allowed origins and desktop origin", + method: http.MethodPost, + origin: "serve://boundary", + code: http.StatusOK, + listenerNum: 3, + }, { name: "enabled with wildcard origins and no origin defined", method: http.MethodPost, diff --git a/internal/servers/controller/handler.go b/internal/servers/controller/handler.go index 91121913c8..1e351d1dce 100644 --- a/internal/servers/controller/handler.go +++ b/internal/servers/controller/handler.go @@ -283,9 +283,7 @@ func wrapHandlerWithCors(h http.Handler, props HandlerProperties) http.Handler { case len(allowedOrigins) == 0: // not valid - case len(allowedOrigins) == 1 && - (allowedOrigins[0] == "*" || - allowedOrigins[0] == "serve://boundary"): + case len(allowedOrigins) == 1 && allowedOrigins[0] == "*": valid = true default: