-
Notifications
You must be signed in to change notification settings - Fork 530
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow wildcard for allow control allowed origins #414
Allow wildcard for allow control allowed origins #414
Conversation
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
I have read the CLA Document and I hereby sign the CLA |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I appreciate your PR. I've left a small comment. Would be great if you could check it. Thank you!
@Kourin1996 Since
Here the header will be set directly to
Here the header will be set to
Here the header will be set to |
@thegoldenmule Thank you for the comments. That's true. In current implementation, multiple domains that contains wildcard can be given. So my comment at that line was not correct actually. We need to talk about whether we can give domains with wildcard. |
A simple alternative, btw, would be to skip the array and loop entirely and simply set the string directly to whatever was specified in the configuration. |
@Kourin1996 @ptitluca @lazartravica @thegoldenmule What do you think about having It would mitigate this additional code complication, as you'd assume if anything specific was provided for allowed origins, you'd need to check against it, otherwise it's all allowed because the wildcard ( |
@zivkovicmilos Not sure setting wildcard as default is good. Wildcard will allow all web browsers to access to JSON-RPC. (Of course, you can block by different layer) |
@zivkovicmilos @Kourin1996 IMO |
@STZeed I'm not sure I'm following but if any offense was taken, it was certainly not intended. My point is only that this project provides an open API that, by default, does not work in the larger open ecosystem. It's not CORS that is providing the security guarantees behind dapps, though I understand you might as well use every tool your disposal. As far as ideas, I have already mentioned one that may have been passed over. Why not simply set the header explicitly to the value provided by |
@thegoldenmule @STZeed Thank you for having opinions and apologize for late reply. Basically I'm not clearly disagree with that. Perhaps there will be few cases of that we want to disable CORS. It will work with allowing CORS to any domains for now. |
@Kourin1996 Please let me know how you'd like me to proceed. |
I think you will need to do the following things:
@thegoldenmule PR doesn't have 1 now. Thank you |
A simplest way is to add default value here polygon-edge/command/helper/helper.go Line 479 in 8a033aa
|
b020fe2
to
0263fcb
Compare
@Kourin1996 That file seems to have gone through a large refactor recently. I changed it in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🥇
Tested everything. It works as intended.
Just one observation:
If there is a need to allow multiple domains with --access-control-allow-origins
flag, proper usage is setting multiple flags in same command instead of setting multiple domains separated by comma.
This will work:
polygon-edge server --access-control-allow-origins https://example.com --access-control-allow-origins https://edge-docs.polygon.technology
This will not work:
polygon-edge server --access-control-allow-origins "https://example.com,https://edge-docs.polygon.technology"
We will publish the docs with proper usage for this flag soon.
Just fix these linter errors, and we're good to go.
Great job 💯
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great 💯
Thank you for the contribution 🙏
Please check out Zeljko's comment and resolve the linting errors, after that we're good to go 🚀
@zivkovicmilos @ZeljkoBenovic Thanks so much. I think I've fixed the linter issues. I have not used |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for resolving the linting errors, and for the contribution 🙏
Merging this now 🚀
Description
The new
--access-control-allow-origins
flag did not function correctly with wildcards. This means that tech that didn't explicitly specify anOrigin
header on requests to the JSON RPC API would be blocked. This includes standard tech like MetaMask.Changes include
Testing
Manual tests
I was able to do various actions via MetaMask and explore the blockchain via typical
eth_
functions.Fixes EDGE-436