From d672a4b0ee73adc97bc6d703be781f1c9d41777f Mon Sep 17 00:00:00 2001 From: Joel Anton Date: Wed, 17 Apr 2024 10:28:46 -0700 Subject: [PATCH] fix: Use origin instead of host for CORS enforcement (#5426) --- apps/api/src/config/cors.spec.ts | 2 +- apps/api/src/config/cors.ts | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/api/src/config/cors.spec.ts b/apps/api/src/config/cors.spec.ts index b820d802f87..b60af15b969 100644 --- a/apps/api/src/config/cors.spec.ts +++ b/apps/api/src/config/cors.spec.ts @@ -71,7 +71,7 @@ describe('CORS Configuration', () => { { url: '/v1/test', headers: { - host: 'https://test--' + process.env.PR_PREVIEW_ROOT_URL, + origin: 'https://test--' + process.env.PR_PREVIEW_ROOT_URL, }, }, callbackSpy diff --git a/apps/api/src/config/cors.ts b/apps/api/src/config/cors.ts index 434bd422c11..3c81d9a2780 100644 --- a/apps/api/src/config/cors.ts +++ b/apps/api/src/config/cors.ts @@ -10,7 +10,7 @@ export const corsOptionsDelegate: Parameters[0] methods: ['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'], }; - const host = (req.headers as any)?.host || ''; + const origin = (req.headers as any)?.origin || ''; if (['test', 'local'].includes(process.env.NODE_ENV) || isWidgetRoute(req.url) || isBlueprintRoute(req.url)) { corsOptions.origin = '*'; @@ -23,12 +23,12 @@ export const corsOptionsDelegate: Parameters[0] const shouldDisableCorsForPreviewUrls = process.env.PR_PREVIEW_ROOT_URL && process.env.NODE_ENV === 'dev' && - host.includes(process.env.PR_PREVIEW_ROOT_URL); + origin.includes(process.env.PR_PREVIEW_ROOT_URL); Logger.verbose(`Should allow deploy preview? ${shouldDisableCorsForPreviewUrls ? 'Yes' : 'No'}.`, { curEnv: process.env.NODE_ENV, previewUrlRoot: process.env.PR_PREVIEW_ROOT_URL, - host, + origin, }); if (shouldDisableCorsForPreviewUrls) {