Allow any origin in CORS responses from more routes (#35761)

GitOrigin-RevId: a279eeb0ce37db610a94f30b0cd8b1c2653acc43

Author: thomasballinger

crates/common/src/http/mod.rs

@@ -66,14 +66,7 @@ use http::{
     header::{
         HeaderName,
         HeaderValue,
-        ACCEPT,
-        ACCEPT_LANGUAGE,
-        AUTHORIZATION,
-        CONTENT_TYPE,
-        REFERER,
-        USER_AGENT,
     },
-    request::Parts,
     HeaderMap,
     Method,
     StatusCode,
@@ -100,6 +93,7 @@ use tower::{
     ServiceBuilder,
 };
 use tower_http::cors::{
+    AllowHeaders,
     AllowOrigin,
     CorsLayer,
 };
@@ -1217,17 +1211,7 @@ impl<T: fmt::Display> fmt::Display for LogOptFmt<T> {
 // different headers.
 pub fn cli_cors() -> CorsLayer {
     CorsLayer::new()
-        .allow_headers(vec![
-            "baggage".parse().unwrap(),
-            "sentry-trace".parse().unwrap(),
-            ACCEPT,
-            ACCEPT_LANGUAGE,
-            AUTHORIZATION,
-            CONTENT_TYPE,
-            CONVEX_CLIENT_HEADER,
-            REFERER,
-            USER_AGENT,
-        ])
+        .allow_headers(AllowHeaders::mirror_request())
         .allow_credentials(true)
         .allow_methods(vec![
             Method::GET,
@@ -1236,13 +1220,7 @@ pub fn cli_cors() -> CorsLayer {
             Method::OPTIONS,
             Method::DELETE,
         ])
-        // `predicate` of `true` allows all origins without allow-origin *,
-        // since that wouldn't allow use of credentials.
-        .allow_origin(
-            AllowOrigin::predicate(|_origin: &HeaderValue, _request_head: &Parts| {
-                true
-            }),
-        )
+        .allow_origin(AllowOrigin::mirror_request())
         .max_age(Duration::from_secs(86400))
 }
 

crates/local_backend/src/router.rs

@@ -19,10 +19,7 @@ use axum::{
     Router,
 };
 use common::{
-    http::{
-        cli_cors,
-        CONVEX_CLIENT_HEADER,
-    },
+    http::cli_cors,
     knobs::{
         AIRBYTE_STREAMING_IMPORT_REQUEST_SIZE_LIMIT,
         MAX_BACKEND_PUBLIC_API_REQUEST_SIZE,
@@ -32,23 +29,14 @@ use common::{
     },
 };
 use http::{
-    header::{
-        ACCEPT,
-        ACCEPT_LANGUAGE,
-        AUTHORIZATION,
-        CONTENT_TYPE,
-        REFERER,
-        USER_AGENT,
-    },
-    request,
-    HeaderValue,
     Method,
     StatusCode,
 };
 use metrics::SERVER_VERSION_STR;
 use tower::ServiceBuilder;
 use tower_http::{
     cors::{
+        AllowHeaders,
         AllowOrigin,
         CorsLayer,
     },
@@ -412,17 +400,7 @@ where
 
 pub fn cors() -> CorsLayer {
     CorsLayer::new()
-        .allow_headers(vec![
-           "baggage".parse().unwrap(),
-           "sentry-trace".parse().unwrap(),
-           ACCEPT,
-           ACCEPT_LANGUAGE,
-           AUTHORIZATION,
-           CONTENT_TYPE,
-           CONVEX_CLIENT_HEADER,
-           REFERER,
-           USER_AGENT,
-        ])
+        .allow_headers(AllowHeaders::mirror_request())
         .allow_credentials(true)
         .allow_methods(vec![
             Method::GET,
@@ -432,19 +410,6 @@ pub fn cors() -> CorsLayer {
             Method::DELETE,
             Method::PUT,
         ])
-        // Don't use tower_http::cors::any(), it causes the server to respond with
-        // Access-Control-Allow-Origin: *. Browsers restrict sending credentials to other domains
-        // that reply to a CORS with allow-origin *.
-        //
-        // https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
-        //
-        // Instead respond with Access-Control-Allow-Origin set to the submitted Origin header.
-        //
-        // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#directives
-        .allow_origin(
-            AllowOrigin::predicate(|_origin: &HeaderValue, _request_head: &request::Parts| {
-                true
-            }),
-        )
+        .allow_origin(AllowOrigin::mirror_request())
         .max_age(Duration::from_secs(86400))
 }