-
Notifications
You must be signed in to change notification settings - Fork 437
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deny CORS Requests by Default #158
Conversation
Cool :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall LGTM. Just one point re origins checking in the proxy.
go/grpcwebproxy/main.go
Outdated
if *flagCorsAllowAllOrigins { | ||
return true | ||
} | ||
for _, allowedOrigin := range *flagCorsAllowOrigins { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looping over all the flags will cause this function to run each time a request is received. Perhaps we can do a map lookup?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in the latest round.
Hi guys, any update on this please? |
@jonny-improbable Could you please rebase the PR and look into the comments? |
We really should ship this 😄 |
6cf2de4
to
a6dc50d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice to finally have this almost ready!
…s requests from foreign origins by default to avoid circumventing the browser security model. See discussion in #61.
- Simplify `makeHttpOriginFunc` logic - Improve `--allowed_origins` help text - Improve error message string formatting
beb3805
to
eabca78
Compare
@johanbrandhorst All tests are passing, bar Safari 6 which is a Platform Error with Saucelabs (ie: not a test failure). |
LGTM! Can we override the test failure? |
By the power of grayskull |
Change the default implementation of
grpcweb.WrapServer
so it denies requests from foreign origins by default to avoid circumventing the browser security model.See discussion in #61.