Created by: slimsag
This PR enables public access of Sourcegraph APIs from any domain / origin securely, and without enabling CSRF attacks against Sourcegraph. This works for all Sourcegraph instances (Sourcegraph.com, on-prem, etc.) Here's how:
corsOrigin
allow list)corsOrigin
allow list), then session-based authentication (cookies) sent with the request are NOT respected even if present: the request will be treated as unauthenticated. This is what protects our API from CSRF attacks while still allowing public usage both anonymously and with e.g. access tokens.See also the diagrams added in https://github.com/sourcegraph/sourcegraph/pull/27937 which cover this. I suggest reviewing the commits in this PR individually, the first one makes the simple code change and all subsequent ones just add detailed explanations for why this is secure.
Fixes #18847 (closed) Fixes #23140 (closed)