Embedding app origin setting should allow multiple origins for the Access-Control-Allow-Origin
header
#42631
Labels
backport
Automatically create PR on current release branch on merge
.Task
Not a part of any Epic, used by the Task Issue Template
.Team/Embedding
Milestone
Context
We're started using
embedding-app-origin
to make the embedding sdk work on other domains viaAccess-Control-Allow-Origin
. This has a small issue asAccess-Control-Allow-Origin
should only return one origin (or "*") while we tell the users to give us a list of origins separated by a space:A solution could be to change the following line
metabase/src/metabase/server/middleware/security.clj
Line 131 in ef15d0e
to return the referrer if it's present in the list of allowed origins. We'll need to normalize the origins before doing the check.
We use the same setting for multiple headers, we should also double check if the formats are compatible.
The text was updated successfully, but these errors were encountered: