Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PB-737: Block shortening of external urls #66

Merged
merged 5 commits into from
Aug 8, 2024
Merged

PB-737: Block shortening of external urls #66

merged 5 commits into from
Aug 8, 2024

Conversation

LukasJoss
Copy link
Contributor

No description provided.

@LukasJoss LukasJoss force-pushed the feat-PB-737-block-shortening-of-external-urls branch 3 times, most recently from 00d9729 to a1cbeb1 Compare August 7, 2024 14:04
@LukasJoss LukasJoss force-pushed the feat-PB-737-block-shortening-of-external-urls branch from a1cbeb1 to cdf2799 Compare August 7, 2024 14:09
@LukasJoss LukasJoss requested review from benschs and boecklic August 7, 2024 14:16
benschs
benschs reviewed Aug 8, 2024
View reviewed changes
.env.default Outdated Show resolved Hide resolved
@LukasJoss LukasJoss requested a review from benschs August 8, 2024 07:39
benschs
benschs approved these changes Aug 8, 2024
View reviewed changes
Copy link

@benschs benschs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@LukasJoss LukasJoss merged commit e45f03a into develop Aug 8, 2024
3 checks passed
@LukasJoss LukasJoss deleted the feat-PB-737-block-shortening-of-external-urls branch August 8, 2024 08:24
ltshb added a commit that referenced this pull request Sep 18, 2024
@ltshb
PB-737: Fix CORS issues when working on localhost
c23849a 
Previous PR #66 was too restrictive has it blocked localhost on the DEV staging
which is needed to develop the web-mapviewer.

The main issue was that the ALLOWED_DOMAINS config was used for CORS and for
URL parameter check, but in the code the logic to validate CORS and url parameter
differ, due to this it was not possible anymore to set a ALLOWED_DOMAINS value
that would allow localhost as CORS and or as url parameter. The url parameter
check wanted to have a regex to exactly match the host name without the path,
while CORS did check the full url.

Now the code has been simplified and we use the same function/logic to test url
and CORS, using the full url. Note that ORIGIN and REFERER header based on the
documentation should always has the scheme http:// or https://. Referer might
have a path or not.

So now the ALLOWED_DOMAINS must be a pattern that match a full URL not only part
of it.
@ltshb ltshb mentioned this pull request Sep 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benschs benschs benschs approved these changes

@boecklic boecklic Awaiting requested review from boecklic

Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LukasJoss @benschs