Add CORS config to LMS

By default, all subdomains of the LMS are allowed. For reference: https://enable-cors.org/server_nginx.html https://stackoverflow.com/questions/54313216/nginx-config-to-enable-cors-with-origin-matching
2024-06-18 05:12:21 +00:00 · 2020-09-04 22:51:40 +02:00 · 2020-09-04 22:51:40 +02:00 · 055c3cad3f
commit 055c3cad3f
parent b1c7dab03e
2 changed files with 14 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,7 @@ Note: Breaking changes between versions are indicated by "💥".

 ## Unreleased

+- [Improvement] Add CORS basic configuration to LMS for subdomains of the LMS
 - [Feature] Add support for `images build --add-host` option (thanks @grinderz!)
 - [Bugfix] Fix podman compatibility by replacing `docker-compose rm` command by `docker-compose stop` when stopping containers
 - [Improvement] Improve plugin data deletion
--- a/tutor/templates/apps/nginx/lms.conf
+++ b/tutor/templates/apps/nginx/lms.conf
@ -12,6 +12,11 @@ server {
 }
 {% endif %}

+map $http_origin $allow_origin {
+    # Accept requests coming from all subdomains of the LMS host
+    ~^{% if ACTIVATE_HTTPS %}https{% else %}http{% endif %}://.*\.{{ LMS_HOST }}$ $http_origin;
+}
+
 server {
  {% if ACTIVATE_HTTPS %}listen 443 {{ "" if WEB_PROXY else "ssl" }};{% else %}listen 80;{% endif %}
  server_name {{ LMS_HOST }} preview.{{ LMS_HOST }};
@ -25,8 +30,15 @@ server {
  client_max_body_size 4M;
  server_tokens off;

+  # CORS configuration
+  add_header 'Access-Control-Allow-Origin' '$allow_origin';
+  add_header 'Access-Control-Allow-Credentials' 'true';
+  # sampled from edx.org
+  add_header 'Access-Control-Allow-Headers' 'accept, accept-encoding, authorization, content-type, dnt, origin, user-agent, x-csrftoken, x-requested-with, use-jwt-cookie';
+  add_header 'Access-Control-Max-Age' 86400;
+
  rewrite ^(.*)/favicon.ico$ /static/images/favicon.ico last;
-  
+
  location @proxy_to_lms_app {
    {% if not WEB_PROXY %}
    proxy_set_header X-Forwarded-Proto $scheme;