Skip to content

Frontend: allow requests from browser extension origins by default

Warren Gifford requested to merge allow-browser-ext-origins into master

Created by: chrismwendt

Before this change, the frontend responded to the OPTIONS request of cross-origin (e.g. browser extension) requests with the Access-Control-Allow-Origin header set to the value of corsOrigin from site config. That behavior prevented the browser extension from communicating with the Sourcegraph instance in the situation where the browser extension did not have permission to the Sourcegraph URL for two reasons:

  • The frontend did not special case the browser extension IDs, which meant that a site admin would need to enter the bundle ID into the corsOrigin in site config
  • Chrome only allows one value in the Access-Control-Allow-Origin header, not a space-separated list

Neither of these problems would have been caught in the "Test plan" section of https://github.com/sourcegraph/sourcegraph/pull/2689 (which removed the browser extension bundle IDs) unless all sites were disabled (they probably weren't) because Chrome only makes a preflighted cross-origin request instead of a simple cross-origin request when the browser extension doesn't have permission on the remote origin. cc @sqs Does this make sense?

After this change, the frontend will respond to cross-origin requests by echoing the Origin request header in the Access-Control-Allow-Origin response header and always allow the browser extension bundle IDs as a special case.

@lguychard I'd like your review on this because this is relevant to https://github.com/sourcegraph/sourcegraph/issues/2799

Fixes https://github.com/sourcegraph/sourcegraph/issues/3056

Merge request reports

Loading