Skip to content

security: make CORS enforcement of non-API routes even more strict

Administrator requested to merge sg/cors-policy-enforcement into main

Created by: slimsag

This PR is stacked on top of #27240.

There are three commits:

  • The first has no behavior change, it just moves code around to make te next commit even more clean and make the logic more legible.
  • The second:
    • Forbids cross-origin requests for all non-API routes, even if they are from an allowed origin in the site config corsOrigin setting.
    • Effectively makes corsOrigin only configure cross-origin access of our API routes. i.e. because a cross-origin request for verify email, sign out, etc. never makes any sense, we should be more strict.
    • Fixes sourcegraph/security-issues#176
  • The third updates our CSRF threat model document to reflect the improvements.

Merge request reports

Loading