-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix CORS setup #1782
Fix CORS setup #1782
Conversation
mypy eek |
@@ -283,7 +293,7 @@ module backend 'core/host/appservice.bicep' = { | |||
managedIdentity: true | |||
virtualNetworkSubnetId: isolation.outputs.appSubnetId | |||
publicNetworkAccess: publicNetworkAccess | |||
allowedOrigins: [ allowedOrigin ] | |||
allowedOrigins: allowedOrigins |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this always end up allowing origins even if they don't enable user auth? I dont see a conditional that makes it empty in that case. But maybe my eyes have glazed over.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or maybe we always allowed them anyway?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
allowedOrigin should be empty if they don't enable user auth. I will double check this, good catch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So this is an interesting case
- We were never enabling the portal origins before due to a bug
- So unless they explicitly specified an allowed origin, we never enabled cors
My thought is that we want to only add in the portal / login origins if auth is enabled, otherwise just pick the origins they added. I'll make this adjustment
allowed_origin = allowed_origin.split(";") | ||
if len(allowed_origin) > 0: | ||
app.logger.info("CORS enabled for %s", allowed_origin) | ||
cors(app, allow_origin=allowed_origin, allow_methods=["GET", "POST"]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We do need to allow credentials
Pulled into #2205 |
Purpose
Does this introduce a breaking change?
When developers merge from main and run the server, azd up, or azd deploy, will this produce an error?
If you're not sure, try it out on an old environment.
Does this require changes to learn.microsoft.com docs?
This repository is referenced by this tutorial
which includes deployment, settings and usage instructions. If text or screenshot need to change in the tutorial,
check the box below and notify the tutorial author. A Microsoft employee can do this for you if you're an external contributor.
Type of change