Draft proposal of allowed origins cors list #37896
Conversation
|
Adding an application to be used as frontend to set the allowed origins, it's in separated repo at: https://github.com/Communia/cors_origin_filter_settings . I am marking this PR as it needs review right now although it needs to add and modify tests, let me know if it's better to set it back to DRAFT. |
Signed-off-by: Aleix Quintana Alsius <[email protected]>
szaimen
requested review from
nickvergessen,
vitormattos,
julien-nc and
come-nc
szaimen
added
3. to review
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Hi @aleixq is this PR WIP, as mentioned at body of descriptio? If is WIP, I think that would be good convert to draft and change the label to |
|
Thank you for caring, vitor. Yes, the code could be reviewed and its main idea evaluated:
But there are parts not done yet:
Just looking for feedback before continue the work on this. As I don't want to waste everyone's time with a lot of code if it's futile. Said this, if it's better to set back to draft until everything is done, no problem. |
Signed-off-by: Aleix Quintana Alsius <[email protected]>
skjnldsv
added
2. developing
|
@aleixq thanks for the ping! #40537 looks more active indeed, if you think this is also a good approach to the initial PR, then great news, we'll try to move the other one forward. If you think this one still apply, maybe you're willing to take over and push it forward? |
|
Thank's for your comment. You are true about the activity, and tbh it's more broadly implemented, so better let's close this and wait and test how this will land in nextcloud and then suggest new features if it's still needed (in fact I am apporting my impressions there right now). |
|
Thank you for taking the time to reply! :) |
Summary
This is a WIP draft PR, that partially implements allowed origins list, to not open everywhere the nextcloud ocs and external api, and allowing to open some parts as the interaction will be limited. This is planned in a way that the desired endpoints will use the apicontroller instead of the base controller, so they can use the inherited preflighted_cors method.
When using so and adding the annotation
@corsin desired method, filter will be done, The definition of the allowed origins will be done in system and in the (to be defined) app in a general and in a app manner, so for example in case of files_sharing will check in config.php for list of allowed_origins, then in (tbd) app settings, then will check also in config.php the value of files_sharing.allowed_origins and in (tbd) app settings the value of files_sharing.allowed_origins.If http_origin header matches any entry in these settings will allow the use of api from this origin url.
As example I am allowing the preview endpoint only but it culd be opened to other endpoints easily, just grab the code and define
in config.php
then check if you can get a preview when calling from the allowed origin url (a simple js fetch can be done).
The frontend to control allowed_origins is yet to be done depending on how accepted is this draft or if you think it's a bad and ugly way of achieving the filtering.
todo in this pr