adapt cors headers

Signed-off-by: Christian Richter <crichter@owncloud.com> Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
2026-02-21 13:09:10 -06:00 · 2024-02-23 08:53:06 +01:00
parent 6927fe1afd
commit 72916dc53c
8 changed files with 48 additions and 13 deletions
--- a/ocis-pkg/config/config.go
+++ b/ocis-pkg/config/config.go
@@ -68,7 +68,7 @@ type Config struct {

 	Mode    Mode // DEPRECATED
 	File    string
-	OcisURL string `yaml:"ocis_url" desc:"URL, where oCIS is reachable for users."`
+	OcisURL string `yaml:"ocis_url" env:"OCIS_URL" desc:"URL, where oCIS is reachable for users."`

 	Registry          string               `yaml:"registry"`
 	TokenManager      *shared.TokenManager `yaml:"token_manager"`
--- a/services/frontend/pkg/config/defaults/defaultconfig.go
+++ b/services/frontend/pkg/config/defaults/defaultconfig.go
@@ -31,7 +31,7 @@ func DefaultConfig() *config.Config {
 			Protocol:  "tcp",
 			Prefix:    "",
 			CORS: config.CORS{
-				AllowedOrigins: []string{"*"},
+				AllowedOrigins: []string{"https://localhost:9200"},
 				AllowedMethods: []string{
 					"OPTIONS",
 					"HEAD",
@@ -73,7 +73,7 @@ func DefaultConfig() *config.Config {
 					"X-HTTP-Method-Override",
 					"Cache-Control",
 				},
-				AllowCredentials: true,
+				AllowCredentials: false,
 			},
 		},
 		Service: config.Service{
@@ -185,6 +185,10 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey
 	}

+	if cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
+		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200" {
+		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
+	}
 }

 // Sanitize sanitized the configuration
--- a/services/invitations/pkg/config/defaults/defaultconfig.go
+++ b/services/invitations/pkg/config/defaults/defaultconfig.go
@@ -26,7 +26,7 @@ func DefaultConfig() *config.Config {
 			Root:      "/graph/v1.0",
 			Namespace: "com.owncloud.graph",
 			CORS: config.CORS{
-				AllowedOrigins: []string{"*"},
+				AllowedOrigins: []string{"https://localhost:9200"},
 			},
 		},
 		Service: config.Service{
@@ -77,6 +77,11 @@ func EnsureDefaults(cfg *config.Config) {
 	} else if cfg.TokenManager == nil {
 		cfg.TokenManager = &config.TokenManager{}
 	}
+
+	if cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
+		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200" {
+		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
+	}
 }

 func Sanitize(cfg *config.Config) {
--- a/services/ocdav/pkg/config/defaults/defaultconfig.go
+++ b/services/ocdav/pkg/config/defaults/defaultconfig.go
@@ -30,7 +30,7 @@ func DefaultConfig() *config.Config {
 			Protocol:  "tcp",
 			Prefix:    "",
 			CORS: config.CORS{
-				AllowedOrigins: []string{"*"},
+				AllowedOrigins: []string{"https://localhost:9200"},
 				AllowedMethods: []string{
 					"OPTIONS",
 					"HEAD",
@@ -71,7 +71,7 @@ func DefaultConfig() *config.Config {
 					"X-HTTP-Method-Override",
 					"Cache-Control",
 				},
-				AllowCredentials: true,
+				AllowCredentials: false,
 			},
 		},
 		Service: config.Service{
@@ -137,6 +137,11 @@ func EnsureDefaults(cfg *config.Config) {
 	if cfg.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" {
 		cfg.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey
 	}
+
+	if cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
+		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200" {
+		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
+	}
 }

 // Sanitize sanitizes the configuration
--- a/services/ocm/pkg/config/defaults/defaultconfig.go
+++ b/services/ocm/pkg/config/defaults/defaultconfig.go
@@ -32,7 +32,7 @@ func DefaultConfig() *config.Config {
 			Protocol:  "tcp",
 			Prefix:    "",
 			CORS: config.CORS{
-				AllowedOrigins: []string{"*"},
+				AllowedOrigins: []string{"https://localhost:9200"},
 				AllowedMethods: []string{
 					"OPTIONS",
 					"HEAD",
@@ -73,7 +73,7 @@ func DefaultConfig() *config.Config {
 					"X-HTTP-Method-Override",
 					"Cache-Control",
 				},
-				AllowCredentials: true,
+				AllowCredentials: false,
 			},
 		},
 		GRPC: config.GRPCConfig{
@@ -165,6 +165,11 @@ func EnsureDefaults(cfg *config.Config) {
 	if cfg.GRPC.TLS == nil && cfg.Commons != nil {
 		cfg.GRPC.TLS = structs.CopyOrZeroValue(cfg.Commons.GRPCServiceTLS)
 	}
+
+	if cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
+		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200" {
+		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
+	}
 }

 // Sanitize sanitizes the config
--- a/services/storage-users/pkg/config/defaults/defaultconfig.go
+++ b/services/storage-users/pkg/config/defaults/defaultconfig.go
@@ -38,7 +38,7 @@ func DefaultConfig() *config.Config {
 			Protocol:  "tcp",
 			Prefix:    "data",
 			CORS: config.CORS{
-				AllowedOrigins: []string{"*"},
+				AllowedOrigins: []string{"https://localhost:9200"},
 				AllowedMethods: []string{
 					"POST",
 					"HEAD",
@@ -63,7 +63,7 @@ func DefaultConfig() *config.Config {
 					"Upload-Incomplete",
 					"Upload-Draft-Interop-Version",
 				},
-				AllowCredentials: true,
+				AllowCredentials: false,
 				ExposedHeaders: []string{
 					"Upload-Offset",
 					"Location",
@@ -208,6 +208,11 @@ func EnsureDefaults(cfg *config.Config) {
 	if cfg.Tasks.PurgeTrashBin.UserID == "" && cfg.Commons != nil {
 		cfg.Tasks.PurgeTrashBin.UserID = cfg.Commons.AdminUserID
 	}
+
+	if cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
+		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200" {
+		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
+	}
 }

 // Sanitize sanitized the configuration
--- a/services/web/pkg/config/defaults/defaultconfig.go
+++ b/services/web/pkg/config/defaults/defaultconfig.go
@@ -32,7 +32,7 @@ func DefaultConfig() *config.Config {
 			CacheTTL:  604800, // 7 days

 			CORS: config.CORS{
-				AllowedOrigins: []string{"*"},
+				AllowedOrigins: []string{"https://localhost:9200"},
 				AllowedMethods: []string{
 					"OPTIONS",
 					"HEAD",
@@ -73,7 +73,7 @@ func DefaultConfig() *config.Config {
 					"Upload-Offset",
 					"X-HTTP-Method-Override",
 				},
-				AllowCredentials: true,
+				AllowCredentials: false,
 			},
 		},
 		Service: config.Service{
@@ -173,6 +173,11 @@ func EnsureDefaults(cfg *config.Config) {
 	if cfg.Commons != nil {
 		cfg.HTTP.TLS = cfg.Commons.HTTPServiceTLS
 	}
+
+	if cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
+		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200" {
+		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
+	}
 }

 // Sanitize sanitized the configuration
--- a/services/webfinger/pkg/config/defaults/defaultconfig.go
+++ b/services/webfinger/pkg/config/defaults/defaultconfig.go
@@ -29,7 +29,8 @@ func DefaultConfig() *config.Config {
 			Root:      "/",
 			Namespace: "com.owncloud.web",
 			CORS: config.CORS{
-				AllowedOrigins: []string{"*"},
+				AllowedOrigins:   []string{"https://localhost:9200"},
+				AllowCredentials: false,
 			},
 		},
 		Service: config.Service{
@@ -81,6 +82,11 @@ func EnsureDefaults(cfg *config.Config) {
 	if cfg.Commons != nil {
 		cfg.HTTP.TLS = cfg.Commons.HTTPServiceTLS
 	}
+
+	if cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
+		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200" {
+		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
+	}
 }

 // Sanitize sanitized the configuration