Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict CORS for Builder Secret Keys #31

Merged
merged 1 commit into from
Dec 11, 2024
Merged

Restrict CORS for Builder Secret Keys #31

merged 1 commit into from
Dec 11, 2024

Conversation

VojtechVitek
Copy link
Contributor

@VojtechVitek VojtechVitek commented Dec 10, 2024
edited
Loading

@VojtechVitek VojtechVitek force-pushed the restrict-cors-for-builder-secret-keys branch from cd2f6b3 to f692ffa Compare December 10, 2024 15:25
@VojtechVitek VojtechVitek force-pushed the restrict-cors-for-builder-secret-keys branch from f692ffa to 592dec4 Compare December 10, 2024 15:26
VojtechVitek
VojtechVitek commented Dec 10, 2024
View reviewed changes
middleware.go
Comment on lines +216 to +229
origin := r.Header.Get("Origin")
if origin != "" {
err := proto.ErrSecretKeyCorsDisallowed.WithCausef("project_id: %v", projectClaim)

slog.ErrorContext(ctx, "CORS disallowed for Secret Key",
slog.Any("error", err),
slog.String("origin", origin),
slog.Uint64("project_id", uint64(projectClaim)),
)

// TODO: Uncomment once we're confident it won't disrupt major customers.
// cfg.ErrHandler(r, w, err)
// return
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now, this will only log error with origin and project_id fields, if we encounter a Secret Key misused from a web app.

Eventually, we will error out instead, once we're confident it won't disrupt major customers.

@VojtechVitek VojtechVitek merged commit addf813 into master Dec 11, 2024
2 checks passed
@VojtechVitek VojtechVitek deleted the restrict-cors-for-builder-secret-keys branch December 11, 2024 11:06
@VojtechVitek
Copy link
Contributor Author

Works fine in node-gateway:

resource.type="k8s_container"
resource.labels.cluster_name="sequence-b27697b"
resource.labels.namespace_name="dev-sequence"
"CORS disallowed for Secret Key"

Screenshot 2024-12-11 at 3 15 14 PM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@klaidliadon klaidliadon klaidliadon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@VojtechVitek @klaidliadon