From 2f7742b099a98d5c9101bacfd9ce703a46e62433 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Behmo?= Date: Tue, 13 Oct 2020 13:34:12 +0200 Subject: [PATCH] Simplify CORS configuration CORS headers are no longer handled by nginx, but directly by the LMS. This makes it possible by 3rd-party apps to easily add domain names to the CORS whitelist, even when they are not subdomains of the LMS. --- CHANGELOG.md | 4 ++++ tutor/templates/apps/nginx/lms.conf | 12 ------------ tutor/templates/apps/openedx/config/lms.env.json | 1 + .../apps/openedx/settings/partials/common_all.py | 3 +++ 4 files changed, 8 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index aa8048b..89dbf77 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ Note: Breaking changes between versions are indicated by "💥". +## Unreleased + +- 💥[Improvement] Simplify CORS configuration + ## v10.2.4 (2020-10-06) - [Bugfix] Fix Apache proxy configuration when HTTPS is enabled (#370) diff --git a/tutor/templates/apps/nginx/lms.conf b/tutor/templates/apps/nginx/lms.conf index 42f8eca..99ec0bb 100644 --- a/tutor/templates/apps/nginx/lms.conf +++ b/tutor/templates/apps/nginx/lms.conf @@ -12,11 +12,6 @@ server { } {% endif %} -map $http_origin $allow_origin { - # Accept requests coming from all subdomains of the LMS host - ~^{% if ACTIVATE_HTTPS %}https{% else %}http{% endif %}://.*\.{{ LMS_HOST }}$ $http_origin; -} - server { {% if ACTIVATE_HTTPS %}listen 443 {{ "" if WEB_PROXY else "ssl" }};{% else %}listen 80;{% endif %} server_name {{ LMS_HOST }} preview.{{ LMS_HOST }}; @@ -30,13 +25,6 @@ server { client_max_body_size 4M; server_tokens off; - # CORS configuration - add_header 'Access-Control-Allow-Origin' '$allow_origin'; - add_header 'Access-Control-Allow-Credentials' 'true'; - # sampled from edx.org - add_header 'Access-Control-Allow-Headers' 'accept, accept-encoding, authorization, content-type, dnt, origin, user-agent, x-csrftoken, x-requested-with, use-jwt-cookie'; - add_header 'Access-Control-Max-Age' 86400; - rewrite ^(.*)/favicon.ico$ /static/images/favicon.ico last; location @proxy_to_lms_app { diff --git a/tutor/templates/apps/openedx/config/lms.env.json b/tutor/templates/apps/openedx/config/lms.env.json index ebb4126..4941a77 100644 --- a/tutor/templates/apps/openedx/config/lms.env.json +++ b/tutor/templates/apps/openedx/config/lms.env.json @@ -10,6 +10,7 @@ {{ patch("lms-env-features", separator=",\n", suffix=",")|indent(4) }} "CERTIFICATES_HTML_VIEW": true, "PREVIEW_LMS_BASE": "preview.{{ LMS_HOST }}", + "ENABLE_CORS_HEADERS": true, "ENABLE_COURSE_DISCOVERY": true, "ENABLE_COURSEWARE_SEARCH": true, "ENABLE_CSMH_EXTENDED": false, diff --git a/tutor/templates/apps/openedx/settings/partials/common_all.py b/tutor/templates/apps/openedx/settings/partials/common_all.py index 76cfa56..7aa3524 100644 --- a/tutor/templates/apps/openedx/settings/partials/common_all.py +++ b/tutor/templates/apps/openedx/settings/partials/common_all.py @@ -30,6 +30,9 @@ DATABASE_ROUTERS.remove( # Set uploaded media file path MEDIA_ROOT = "/openedx/media/" +# Add your MFE and third-party app domains here +CORS_ORIGIN_WHITELIST = [] + # Video settings VIDEO_IMAGE_SETTINGS["STORAGE_KWARGS"]["location"] = MEDIA_ROOT VIDEO_TRANSCRIPTS_SETTINGS["STORAGE_KWARGS"]["location"] = MEDIA_ROOT