Simplify CORS configuration

CORS headers are no longer handled by nginx, but directly by the LMS. This makes it possible by 3rd-party apps to easily add domain names to the CORS whitelist, even when they are not subdomains of the LMS.
2024-12-12 14:17:46 +00:00 · 2020-10-13 13:34:12 +02:00 · 2020-10-13 13:34:12 +02:00 · 2f7742b099
commit 2f7742b099
parent 9f94a12c7d
4 changed files with 8 additions and 12 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,10 @@

 Note: Breaking changes between versions are indicated by "💥".

+## Unreleased
+
+- 💥[Improvement] Simplify CORS configuration
+
 ## v10.2.4 (2020-10-06)

 - [Bugfix] Fix Apache proxy configuration when HTTPS is enabled (#370)
--- a/tutor/templates/apps/nginx/lms.conf
+++ b/tutor/templates/apps/nginx/lms.conf
@ -12,11 +12,6 @@ server {
 }
 {% endif %}

-map $http_origin $allow_origin {
-    # Accept requests coming from all subdomains of the LMS host
-    ~^{% if ACTIVATE_HTTPS %}https{% else %}http{% endif %}://.*\.{{ LMS_HOST }}$ $http_origin;
-}
-
 server {
  {% if ACTIVATE_HTTPS %}listen 443 {{ "" if WEB_PROXY else "ssl" }};{% else %}listen 80;{% endif %}
  server_name {{ LMS_HOST }} preview.{{ LMS_HOST }};
@ -30,13 +25,6 @@ server {
  client_max_body_size 4M;
  server_tokens off;

-  # CORS configuration
-  add_header 'Access-Control-Allow-Origin' '$allow_origin';
-  add_header 'Access-Control-Allow-Credentials' 'true';
-  # sampled from edx.org
-  add_header 'Access-Control-Allow-Headers' 'accept, accept-encoding, authorization, content-type, dnt, origin, user-agent, x-csrftoken, x-requested-with, use-jwt-cookie';
-  add_header 'Access-Control-Max-Age' 86400;
-
  rewrite ^(.*)/favicon.ico$ /static/images/favicon.ico last;

  location @proxy_to_lms_app {
--- a/tutor/templates/apps/openedx/config/lms.env.json
+++ b/tutor/templates/apps/openedx/config/lms.env.json
@ -10,6 +10,7 @@
    {{ patch("lms-env-features", separator=",\n", suffix=",")|indent(4) }}
    "CERTIFICATES_HTML_VIEW": true,
    "PREVIEW_LMS_BASE": "preview.{{ LMS_HOST }}",
+    "ENABLE_CORS_HEADERS": true,
    "ENABLE_COURSE_DISCOVERY": true,
    "ENABLE_COURSEWARE_SEARCH": true,
    "ENABLE_CSMH_EXTENDED": false,
--- a/tutor/templates/apps/openedx/settings/partials/common_all.py
+++ b/tutor/templates/apps/openedx/settings/partials/common_all.py
@ -30,6 +30,9 @@ DATABASE_ROUTERS.remove(
 # Set uploaded media file path
 MEDIA_ROOT = "/openedx/media/"

+# Add your MFE and third-party app domains here
+CORS_ORIGIN_WHITELIST = []
+
 # Video settings
 VIDEO_IMAGE_SETTINGS["STORAGE_KWARGS"]["location"] = MEDIA_ROOT
 VIDEO_TRANSCRIPTS_SETTINGS["STORAGE_KWARGS"]["location"] = MEDIA_ROOT