security: enable handling CORS policies differently for API and non-API routes (!27240) · Merge requests · Warren Gifford / sourcegraph

Warren Gifford requested to merge sg/cors-policy-enablement into main Nov 08, 2021

Created by: slimsag

This change has no effect, the behavior is identical before and after. Instead, the actual change in behavior will come in a subsequent PR. All this does is make scureHeadersMiddleware aware of what type of route it is protecting-what cross origin request policy it should be enforcing.

This is needed to improve security in various ways:

To make our handling of cross-origin requests on non-API endpoints such as sign out routes more strict, as described here.
To make behavior of things such as this more strict: https://github.com/sourcegraph/security-issues/issues/176

Note that there is one small behavior change, the secure middleware headers will now run after the following middlewares:

        h = middleware.Trace(h)
        h = gcontext.ClearHandler(h)
        h = healthCheckMiddleware(h)

It is 100% OK to do this because:

It doesn't matter when request tracing occurs.
It doesn't matter when health check request handling occurs.
gcontext.ClearHandler executes once the request has finished (deferred execution), so it's behavior does not actually change.

Helps sourcegraph/security-issues#176

Signed-off-by: Stephen Gutekanst [email protected]

security: enable handling CORS policies differently for API and non-API routes

Merge request reports