citizenlab
citizenlab copied to clipboard
CitizenLabDotCo
[TAN-1331] Do not allow any cross-origin requests on production
- Works when tested functionally, locally
- Unsure how to test more robustly, other than on staging after merging, and then release to production if all looks OK.
- New spec doesn't really test anything. It does document how the
originsconfig works, so maybe it's useful? - I'd really like to abstract the body of the
allowblock incors.rbinto a class method, to facilitate testing of differentoriginvalues without having to stub the entireRack::Corsmiddleware, but I think it's likely impossible in such an initializer file. - Given that all environments, except development, now do not permit any CORS
origins, I also wonder if it would be better to have this as the default config inconfig/application.rband only override it itconfig/environments/development.rb
Changelog
Technical
- [TAN-1331] Do not allow any cross-origin requests on production
![notion-workspace[bot] avatar](https://avatars.githubusercontent.com/in/300037?v=4 "Published by a pub.dev verified publisher"){kind=small}
| Warnings | |
|---|---|
| :warning: | The PR title contains no Jira issue key (case-sensitive) |
| :warning: | The branch name contains no Jira issue key (case-sensitive) |
| Messages | |
|---|---|
| :book: | Changelog provided 🎉 |
| :book: | |
| :book: | Check translation progress |
Generated by :no_entry_sign: dangerJS against ccf7ddbb3c92673ceef877c409947e8a6aa0d097
@adessy Changed reviewer to you, given Koen will be off for 2 weeks. He was broadly in agreement with my plan to just try this on staging , then release if seems OK. Tests are largely useless, though might be useful as documentation of how rack-cors works?
@adessy I've disabled CORS in development, as discussed in our platform week meetings recently.
Kind of hard to test, with various issues/errors when functionally testing the widget tool in all environments except production at the moment. See Slack thread.