Skip to content

SITES-23772 AEM Analyzer Plugin: CORS Configuration #317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

SITES-23772 AEM Analyzer Plugin: CORS Configuration #317

wants to merge 1 commit into from

Conversation

magdalenaorlowska
Copy link

@magdalenaorlowska magdalenaorlowska commented Mar 3, 2025
edited
Loading

Description

New Task that checks if none of the Project Configurations overrides the build-in com.adobe.granite.cors.impl.CORSPolicyImpl settings.

Developers will receive a build warning if the project-level configuration (com.adobe.granite.cors.impl.CORSPolicyImpl~...json) includes the alloworigin or alloworiginregexp properties that may restrict access to URLs such as https://experience.adobe.com or https://static.adobe.net.

Related Issue

SITES-23772 AEM Analyzer Plugin: CORS Configuration

Motivation and Context

We have multiple customers facing CORS issues which are widely back-traceable to a custom CORS configuration including the adobe.com domain.

How Has This Been Tested?

I've run the plugin on a project created from the AEM Project Archetype + several correct & invalid configurations.

Screenshots (if appropriate):

n/a

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • I have signed the Adobe Open Source CLA.
  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@kwin
Copy link
Contributor

kwin commented Mar 3, 2025

I think this should rather be enforced via https://github.com/apache/sling-org-apache-sling-feature-extension-apiregions/blob/master/docs/api-regions.md#configurations

@maximilianvoss
Copy link

I think this should rather be enforced via https://github.com/apache/sling-org-apache-sling-feature-extension-apiregions/blob/master/docs/api-regions.md#configurations

Can you elaborate how API regions can help on this use case?
Customers are allowed to bring their own configurations for CORS, only certain values are not allowed to be in the configuration.

@kwin
Copy link
Contributor

kwin commented Mar 4, 2025

The description said otherwise:

New Task that checks if none of the Project Configurations overrides the build-in com.adobe.granite.cors.impl.CORSPolicyImpl settings.

But AFAIK the API regions supports regex per property: https://github.com/apache/sling-org-apache-sling-feature-extension-apiregions/blob/master/docs/api-regions.md#properties. That can be leveraged to exclude values with adobe.com.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@magdalenaorlowska @kwin @maximilianvoss