Allow wildcard for allow control allowed origins #414
Conversation
thegoldenmule
requested review from
zivkovicmilos,
lazartravica and
Kourin1996
as code owners
|
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
|
I have read the CLA Document and I hereby sign the CLA |
|
@Kourin1996 Since Here the header will be set directly to Here the header will be set to Here the header will be set to |
|
@thegoldenmule Thank you for the comments. That's true. In current implementation, multiple domains that contains wildcard can be given. So my comment at that line was not correct actually. We need to talk about whether we can give domains with wildcard. |
|
A simple alternative, btw, would be to skip the array and loop entirely and simply set the string directly to whatever was specified in the configuration. |
|
@Kourin1996 @ptitluca @lazartravica @thegoldenmule What do you think about having It would mitigate this additional code complication, as you'd assume if anything specific was provided for allowed origins, you'd need to check against it, otherwise it's all allowed because the wildcard ( |
|
@zivkovicmilos Not sure setting wildcard as default is good. Wildcard will allow all web browsers to access to JSON-RPC. (Of course, you can block by different layer) |
|
@zivkovicmilos @Kourin1996 IMO |
|
@STZeed I'm not sure I'm following but if any offense was taken, it was certainly not intended. My point is only that this project provides an open API that, by default, does not work in the larger open ecosystem. It's not CORS that is providing the security guarantees behind dapps, though I understand you might as well use every tool your disposal. As far as ideas, I have already mentioned one that may have been passed over. Why not simply set the header explicitly to the value provided by |
|
@thegoldenmule @STZeed Thank you for having opinions and apologize for late reply. Basically I'm not clearly disagree with that. Perhaps there will be few cases of that we want to disable CORS. It will work with allowing CORS to any domains for now. |
|
@Kourin1996 Please let me know how you'd like me to proceed. |
|
I think you will need to do the following things:
@thegoldenmule PR doesn't have 1 now. Thank you |
|
A simplest way is to add default value here polygon-edge/command/helper/helper.go Line 479 in 8a033aa |
thegoldenmule
force-pushed
the
bugfix/wildcard-cors
branch
from
b020fe2
to
0263fcb
Compare
|
@Kourin1996 That file seems to have gone through a large refactor recently. I changed it in |
There was a problem hiding this comment.
LGTM 🥇
Tested everything. It works as intended.
Just one observation:
If there is a need to allow multiple domains with --access-control-allow-origins flag, proper usage is setting multiple flags in same command instead of setting multiple domains separated by comma.
This will work:
polygon-edge server --access-control-allow-origins https://example.com --access-control-allow-origins https://edge-docs.polygon.technology
This will not work:
polygon-edge server --access-control-allow-origins "https://example.com,https://edge-docs.polygon.technology"
We will publish the docs with proper usage for this flag soon.
Just fix these linter errors, and we're good to go.
Great job 💯
There was a problem hiding this comment.
Looks great 💯
Thank you for the contribution 🙏
Please check out Zeljko's comment and resolve the linting errors, after that we're good to go 🚀
|
@zivkovicmilos @ZeljkoBenovic Thanks so much. I think I've fixed the linter issues. I have not used |
Description
The new
--access-control-allow-originsflag did not function correctly with wildcards. This means that tech that didn't explicitly specify anOriginheader on requests to the JSON RPC API would be blocked. This includes standard tech like MetaMask.Changes include
Testing
Manual tests
I was able to do various actions via MetaMask and explore the blockchain via typical
eth_functions.Fixes EDGE-436