Always allow localhost:* on CORS (#47663)

* Always allow localhost:* on CORS * Use `embedding-app-origin-sdk` method for the headers * Fix BE code formatting * Fix BE formatting

Always allow localhost:* on CORS (#47663)
e9db8813 · Mahatthana (Kelvin) Nomsawadi · GitHub · b1a36a05 · e9db8813 · e9db8813
Unverified Commit e9db8813 authored 7 months ago by Mahatthana (Kelvin) Nomsawadi Committed by GitHub 7 months ago
--- a/src/metabase/server/middleware/security.clj
+++ b/src/metabase/server/middleware/security.clj
@@ -118,6 +118,11 @@
  (when (and (embed.settings/enable-embedding) (embed.settings/embedding-app-origin))
    (embed.settings/embedding-app-origin)))

+(defn- embedding-app-origin-sdk
+  []
+  (when (embed.settings/enable-embedding)
+    (str "localhost:* " (embed.settings/embedding-app-origin))))
+
 (defn- content-security-policy-header-with-frame-ancestors
  [allow-iframes? nonce]
  (update (content-security-policy-header nonce)
@@ -179,11 +184,12 @@
                (approved-port? (:port origin) (:port approved-origin))))
             approved-list)))))

-(defn- access-control-headers
+(defn access-control-headers
+  "Returns headers for CORS requests"
  [origin]
  (merge
   (when
-    (approved-origin? origin (embedding-app-origin))
+    (approved-origin? origin (embedding-app-origin-sdk))
     {"Access-Control-Allow-Origin" origin
      "Vary"                        "Origin"})

@@ -208,7 +214,7 @@
     (cache-prevention-headers))
   strict-transport-security-header
   (content-security-policy-header-with-frame-ancestors allow-iframes? nonce)
-   (when (embedding-app-origin) (access-control-headers origin))
+   (when (embedding-app-origin-sdk) (access-control-headers origin))
   (when-not allow-iframes?
     ;; Tell browsers not to render our site as an iframe (prevent clickjacking)
     {"X-Frame-Options"                 (if (embedding-app-origin)

--- a/test/metabase/server/middleware/security_test.clj
+++ b/test/metabase/server/middleware/security_test.clj
@@ -181,3 +181,20 @@

  (testing "Should handle invalid origins"
    (is (true? (mw.security/approved-origin? "http://example.com" "  fpt://something http://example.com ://123  4")))))
+
+(deftest test-access-control-headers?
+  (testing "Should always allow localhost:*"
+    (tu/with-temporary-setting-values [enable-embedding     true
+                                       embedding-app-origin nil]
+      (is (= "http://localhost:8080" (get (mw.security/access-control-headers "http://localhost:8080") "Access-Control-Allow-Origin")))))
+
+  (testing "Should disable CORS when embedding is disabled"
+    (tu/with-temporary-setting-values [enable-embedding     false
+                                       embedding-app-origin nil]
+      (is (= nil (get (mw.security/access-control-headers "http://localhost:8080") "Access-Control-Allow-Origin")))))
+
+  (testing "Should work with embedding-app-origin"
+    (mt/with-premium-features #{:embedding}
+      (tu/with-temporary-setting-values [enable-embedding     true
+                                         embedding-app-origin "example.com"]
+        (is (= "https://example.com" (get (mw.security/access-control-headers "https://example.com") "Access-Control-Allow-Origin")))))))