diff --git a/bskyweb/cmd/bskyweb/main.go b/bskyweb/cmd/bskyweb/main.go index 3f46c4b00b..985879f4a9 100644 --- a/bskyweb/cmd/bskyweb/main.go +++ b/bskyweb/cmd/bskyweb/main.go @@ -80,6 +80,13 @@ func run(args []string) { Value: "", EnvVars: []string{"BASIC_AUTH_PASSWORD"}, }, + &cli.StringSliceFlag{ + Name: "cors-allowed-origins", + Usage: "list of allowed origins for CORS requests", + Required: false, + Value: cli.NewStringSlice("https://bsky.app", "https://main.bsky.dev", "https://app.staging.bsky.dev"), + EnvVars: []string{"CORS_ALLOWED_ORIGINS"}, + }, }, }, } diff --git a/bskyweb/cmd/bskyweb/server.go b/bskyweb/cmd/bskyweb/server.go index afd9247ace..2d75a2b723 100644 --- a/bskyweb/cmd/bskyweb/server.go +++ b/bskyweb/cmd/bskyweb/server.go @@ -57,6 +57,7 @@ func serve(cctx *cli.Context) error { linkHost := cctx.String("link-host") ipccHost := cctx.String("ipcc-host") basicAuthPassword := cctx.String("basic-auth-password") + corsOrigins := cctx.StringSlice("cors-allowed-origins") // Echo e := echo.New() @@ -168,6 +169,12 @@ func serve(cctx *cli.Context) error { RedirectCode: http.StatusFound, })) + // CORS middleware + e.Use(middleware.CORSWithConfig(middleware.CORSConfig{ + AllowOrigins: corsOrigins, + AllowMethods: []string{http.MethodGet, http.MethodHead, http.MethodOptions}, + })) + // // configure routes //