feat: CORS headers for served assets #490
Conversation
|
partially related #292, but i'm think it's simplier to land CORS, comparing to this stalled MR |
| @@ -134,6 +134,9 @@ function handleRequest( | |||
| return; | |||
| } | |||
|
|
|||
| response.setHeader('Access-Control-Allow-Origin', '*'); | |||
| response.setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS'); | |||
There was a problem hiding this comment.
I believe the original concern from @joliss was that if this was enabled by default, all broccoli development environments could leak information (anything files served by the development middleware) to malicious websites the developers navigates too while running a broccoli service. Although this may seem somewhat esoteric, it exposes a risk I do not feel comfortable with either.
Many security issues are the composition of several not super serious issues. For example, one very dangerous composition would be:
- if broccoli development environments had
'Access-Control-Allow-Origin:': '*' - the static file serving middleware, or a user provided middleware, had a path traversal vulnerability.
... - any file readable by the development server could be accessed (which compounds if users happen to run the broccoli process with
sudo
Other scenarios would be well known files or endpoints that contain data someone malicious can predict, or fuz for.
The approach of allowing users to specify their own headers seems appropriate, as we provide a more secure default experience, and allow them to opt out if they want. We should also discourage 'Access-Control-Allow-Origin': '*', and encourage explicit development domains to guard against scenarios such as the one listed above
There was a problem hiding this comment.
resurrecting #292 or something targeted specifically at CORS seems appropriate
There was a problem hiding this comment.
@stefanpenner could we have Access-Control-Allow-Origin for localhost, 0.0.0.0, 192.168.0.1 ? (imho, it will cover 90% usecases)
There was a problem hiding this comment.
or, we could add cli option --allowed-origins to support CORS (by default we could support only localhost and 192.168.0.1)
There was a problem hiding this comment.
Hosts that are aliases for localhost seems like a good compromise. Let me think about it through a touch more, and reach out to some other folks to confirm.
good idea!
Use case:
We point to broccoli-served assets from port 5000 to 4200 and getting CORS error.
This MR introduce CORS headers for static assets, and should solve this error.