Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Embedding app origin setting should allow multiple origins for the Access-Control-Allow-Origin header #42631

Closed
npretto opened this issue May 14, 2024 · 1 comment · Fixed by #42888 or #43170
Closed

Embedding app origin setting should allow multiple origins for the Access-Control-Allow-Origin header #42631

npretto opened this issue May 14, 2024 · 1 comment · Fixed by #42888 or #43170
Assignees
@npretto
Labels
backport Automatically create PR on current release branch on merge .Task Not a part of any Epic, used by the Task Issue Template .Team/Embedding
Milestone
0.50

Comments

@npretto
Copy link
Member

npretto commented May 14, 2024

Context

We're started using embedding-app-origin to make the embedding sdk work on other domains via Access-Control-Allow-Origin. This has a small issue as Access-Control-Allow-Origin should only return one origin (or "*") while we tell the users to give us a list of origins separated by a space:
image

A solution could be to change the following line

metabase/src/metabase/server/middleware/security.clj

Line 131 in ef15d0e

{"Access-Control-Allow-Origin" (embedding-app-origin)

to return the referrer if it's present in the list of allowed origins. We'll need to normalize the origins before doing the check.

We use the same setting for multiple headers, we should also double check if the formats are compatible.
@npretto npretto added .Task Not a part of any Epic, used by the Task Issue Template .Team/Embedding labels May 14, 2024
@npretto npretto self-assigned this May 16, 2024
@albertoperdomo albertoperdomo added the backport Automatically create PR on current release branch on merge label May 17, 2024
@npretto npretto mentioned this issue May 20, 2024
Merged
@npretto npretto added this to the 0.50 milestone May 24, 2024
@NevRA NevRA reopened this May 24, 2024
@npretto
Copy link
Member Author

npretto commented May 24, 2024

For context, the PR closing this issue was reverted with this #43125 because it broke staging

@npretto npretto mentioned this issue May 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@npretto npretto

Labels
backport Automatically create PR on current release branch on merge .Task Not a part of any Epic, used by the Task Issue Template .Team/Embedding
Projects
None yet
Milestone
0.50
3 participants
@albertoperdomo @NevRA @npretto