Merge pull request #49329 from rhcs-dashboard/fix-cors

mgr/dashboard: allow Origin url for CORS if present in config Reviewed-by: Aashish Sharma <aasharma@redhat.com> Reviewed-by: Pere Diaz Bou <pdiazbou@redhat.com> Reviewed-by: Kefu Chai <kchai@redhat.com>
2025-02-23 11:07:35 +00:00 · 2022-12-13 12:41:59 +05:30 · 2022-12-13 12:41:59 +05:30 · fed4c25933
commit fed4c25933
parent f1acb2862a 04cfd23122
1 changed files with 6 additions and 3 deletions
--- a/src/pybind/mgr/dashboard/module.py
+++ b/src/pybind/mgr/dashboard/module.py
@ -246,16 +246,19 @@ class CherryPyConfig(object):
        resp_head = cherrypy.response.headers

        # Always set response headers necessary for 'simple' CORS.
-        req_header_origin_url = req_head.get('Access-Control-Allow-Origin')
+        req_header_cross_origin_url = req_head.get('Access-Control-Allow-Origin')
        cross_origin_urls = mgr.get_localized_module_option('cross_origin_url', '')
        cross_origin_url_list = [url.strip() for url in cross_origin_urls.split(',')]
-        if req_header_origin_url in cross_origin_url_list:
-            resp_head['Access-Control-Allow-Origin'] = req_header_origin_url
+        if req_header_cross_origin_url in cross_origin_url_list:
+            resp_head['Access-Control-Allow-Origin'] = req_header_cross_origin_url
        resp_head['Access-Control-Expose-Headers'] = 'GET, POST'
        resp_head['Access-Control-Allow-Credentials'] = 'true'

        # Non-simple CORS preflight request; short-circuit the normal handler.
        if cherrypy.request.method == 'OPTIONS':
+            req_header_origin_url = req_head.get('Origin')
+            if req_header_origin_url in cross_origin_url_list:
+                resp_head['Access-Control-Allow-Origin'] = req_header_origin_url
            ac_method = req_head.get('Access-Control-Request-Method', None)

            allowed_methods = ['GET', 'POST']