Changed CORS to use * origin by default

akclace · akclace · commit bd49fe24a6be · 2024-08-27T18:44:34.000-07:00
diff --git a/internal/app/app.go b/internal/app/app.go
@@ -4,7 +4,6 @@
 package app
 
 import (
-	"cmp"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -512,13 +511,14 @@ func (a *App) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if a.appConfig.CORS.Setting == "strict" || a.appConfig.CORS.Setting == "lax" {
-		origin := "*"
-		if a.appConfig.CORS.Setting == "strict" {
+	if a.appConfig.CORS.AllowOrigin != "" {
+		origin := a.appConfig.CORS.AllowOrigin
+		if a.appConfig.CORS.AllowOrigin == "origin" {
 			origin = getRequestUrl(r)
 		}
+
 		if r.Method == http.MethodOptions {
-			w.Header().Set("Access-Control-Allow-Origin", cmp.Or(a.appConfig.CORS.AllowOrigin, origin))
+			w.Header().Set("Access-Control-Allow-Origin", origin)
 			w.Header().Set("Access-Control-Allow-Methods", a.appConfig.CORS.AllowMethods)
 			w.Header().Set("Access-Control-Allow-Headers", a.appConfig.CORS.AllowHeaders)
 			w.Header().Set("Access-Control-Allow-Credentials", a.appConfig.CORS.AllowCredentials)
@@ -528,7 +528,7 @@ func (a *App) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			w.WriteHeader(http.StatusNoContent)
 			return
 		} else {
-			w.Header().Set("Access-Control-Allow-Origin", cmp.Or(a.appConfig.CORS.AllowOrigin, origin))
+			w.Header().Set("Access-Control-Allow-Origin", origin)
 			w.Header().Set("Access-Control-Allow-Methods", a.appConfig.CORS.AllowMethods)
 			w.Header().Set("Access-Control-Allow-Headers", a.appConfig.CORS.AllowHeaders)
 		}
diff --git a/internal/system/clace.default.toml b/internal/system/clace.default.toml
@@ -60,11 +60,11 @@ db_connection = "sqlite:$CL_HOME/clace_app.db"
 #  clace app update-metadata conf --promote cors.allow_methods="GET, POST" /myapp
 
 # CORS related Config
-# default setting is strict, which means allow_origin is set to host url. "lax" allows all origins, "*".
-# "disabled" means no CORS headers are set. if allow_origin is set, it will be used as the origin value.
-cors.setting = "strict"
-cors.allow_origin = ""
-cors.allow_methods = "GET,POST,PUT,DELETE,PATCH,OPTIONS"
+# Default setting is to add CORS headers with * as allow_origin header. If cors.allow_origin is set to empty string,
+# no CORS headers are set. If allow_origin is set to "origin", the origin host is used as the allow_origin header. 
+# For any other value for cors.allow_origin, the specified value is used as the allow_origin header.
+cors.allow_origin = "*"
+cors.allow_methods = "*"
 cors.allow_headers = "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Requested-With"
 cors.allow_credentials = "true"
 cors.max_age = "2678400"                                                                                                                 # 31 days
diff --git a/internal/system/config_test.go b/internal/system/config_test.go
@@ -59,10 +59,9 @@ func TestServerConfig(t *testing.T) {
 	testutil.AssertEqualsString(t, "command", "auto", c.System.ContainerCommand)
 
 	// App CORS default Settings
-	testutil.AssertEqualsString(t, "cors setting", "strict", c.AppConfig.CORS.Setting)
-	testutil.AssertEqualsString(t, "cors origin", "", c.AppConfig.CORS.AllowOrigin)
+	testutil.AssertEqualsString(t, "cors origin", "*", c.AppConfig.CORS.AllowOrigin)
 	testutil.AssertEqualsString(t, "cors headers", "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Requested-With", c.AppConfig.CORS.AllowHeaders)
-	testutil.AssertEqualsString(t, "cors methods", "GET,POST,PUT,DELETE,PATCH,OPTIONS", c.AppConfig.CORS.AllowMethods)
+	testutil.AssertEqualsString(t, "cors methods", "*", c.AppConfig.CORS.AllowMethods)
 	testutil.AssertEqualsString(t, "cors methods", "true", c.AppConfig.CORS.AllowCredentials)
 	testutil.AssertEqualsString(t, "cors methods", "2678400", c.AppConfig.CORS.MaxAge)
 }
diff --git a/tests/commander/test_versions.yaml b/tests/commander/test_versions.yaml
@@ -161,14 +161,14 @@ tests:
     stderr: "error: version commands not supported for dev app"
 
   # Test CORS
-  versions0300: # default is strict origin
+  versions0300: # default is origin is *
     command: curl -Iu "admin:qwerty" localhost:25222/versions_local1 | grep -i access-control-allow-origin | cut -f2- -d':'
-    stdout: "http://localhost:25222"
-  versions0301: # change to lax setting
-    command: ../clace app update-metadata conf --promote cors.setting=lax /versions_local1
+    stdout: "*"
+  versions0301: # change to "origin" setting
+    command: ../clace app update-metadata conf --promote cors.allow_origin=origin /versions_local1
   versions0302:
     command: curl -Iu "admin:qwerty" localhost:25222/versions_local1 | grep -i access-control-allow-origin | cut -f2- -d':'
-    stdout: "*"
+    stdout: "http://localhost:25222"
   versions0303: # custom origin
     command: ../clace app update-metadata conf --promote cors.allow_origin=abc /versions_local1
   versions0304:
