Skip to content

Proxito: update CORS settings #10751

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Sep 20, 2023
Merged

Proxito: update CORS settings #10751

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
d7e4d51
Proxito: update CORS settings
humitos Sep 19, 2023
e20382a
Add `Vary: Origin` header
humitos Sep 19, 2023
a694ea8
Use Django internals to patch `Vary` header.
humitos Sep 19, 2023
3e733e8
Use the `Origin` header from request to check for the allowed domain
humitos Sep 19, 2023
af4684a
Update tests to use `origin` header
humitos Sep 19, 2023
ec23f9b
Allow cross-origin requests for public versions' docs
stsewd Sep 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 15 additions & 2 deletions readthedocs/proxito/middleware.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -318,18 +318,31 @@ def add_cors_headers(self, request, response):
accepted by browsers. However, we cannot expose these headers for
documentation that's not PUBLIC.
"""

# Disable CORS on "Read the Docs for Business" for now.
# We want to be pretty sure this logic is OK before enabling it there.
if settings.ALLOW_PRIVATE_REPOS:
return

project_slug = getattr(request, "path_project_slug", "")
version_slug = getattr(request, "path_version_slug", "")
host = request.get_host()

if project_slug and version_slug:
if (
project_slug
and version_slug
and host.endswith(settings.RTD_EXTERNAL_VERSION_DOMAIN)
):
allow_cors = Version.objects.filter(
project__slug=project_slug,
slug=version_slug,
privacy_level=PUBLIC,
).exists()
if allow_cors:
response.headers["Access-Control-Allow-Origin"] = "*.readthedocs.build"
response.headers["Access-Control-Allow-Origin"] = host
response.headers["Access-Control-Allow-Methods"] = "OPTIONS, GET"
response.headers["Vary"] = "Origin"

return response

def _get_https_redirect(self, request):
Expand Down
77 changes: 67 additions & 10 deletions readthedocs/proxito/tests/test_headers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
from django.test import override_settings
from django.urls import reverse

from readthedocs.builds.constants import LATEST
from readthedocs.builds.constants import EXTERNAL, LATEST
from readthedocs.builds.models import Version
from readthedocs.projects.constants import PRIVATE, PUBLIC
from readthedocs.projects.models import Domain, HTTPHeader

Expand All @@ -12,6 +13,7 @@
@override_settings(
PUBLIC_DOMAIN="dev.readthedocs.io",
PUBLIC_DOMAIN_USES_HTTPS=True,
RTD_EXTERNAL_VERSION_DOMAIN="dev.readthedocs.build",
)
class ProxitoHeaderTests(BaseDocServing):
def test_redirect_headers(self):
Expand Down Expand Up @@ -159,10 +161,15 @@ def test_hosting_integrations_header(self):
self.assertIsNotNone(r.get("X-RTD-Hosting-Integrations"))
self.assertEqual(r["X-RTD-Hosting-Integrations"], "true")

def test_cors_headers_private_version(self):
version = self.project.versions.get(slug=LATEST)
version.privacy_level = PRIVATE
version.save()
def test_cors_headers_non_external_domain(self):
fixture.get(
Version,
project=self.project,
slug="111",
active=True,
privacy_level=PUBLIC,
type=EXTERNAL,
)

r = self.client.get(
"/en/latest/", secure=True, headers={"host": "project.dev.readthedocs.io"}
Expand All @@ -171,17 +178,67 @@ def test_cors_headers_private_version(self):
self.assertIsNone(r.get("Access-Control-Allow-Origin"))
self.assertIsNone(r.get("Access-Control-Allow-Methods"))

def test_cors_headers_private_version(self):
fixture.get(
Version,
project=self.project,
slug="111",
active=True,
privacy_level=PRIVATE,
type=EXTERNAL,
)

r = self.client.get(
"/en/111/",
secure=True,
headers={"host": "project--111.dev.readthedocs.build"},
)
self.assertEqual(r.status_code, 200)
self.assertIsNone(r.get("Access-Control-Allow-Origin"))
self.assertIsNone(r.get("Access-Control-Allow-Methods"))
self.assertIsNone(r.get("Vary"))

def test_cors_headers_public_version(self):
version = self.project.versions.get(slug=LATEST)
version.privacy_level = PUBLIC
version.save()
fixture.get(
Version,
project=self.project,
slug="111",
active=True,
privacy_level=PUBLIC,
type=EXTERNAL,
)

r = self.client.get(
"/en/latest/", secure=True, headers={"host": "project.dev.readthedocs.io"}
"/en/111/",
secure=True,
headers={"host": "project--111.dev.readthedocs.build"},
)
self.assertEqual(r.status_code, 200)
self.assertEqual(r["Access-Control-Allow-Origin"], "*.readthedocs.build")
self.assertEqual(
r["Access-Control-Allow-Origin"], "project--111.dev.readthedocs.build"
)
self.assertEqual(r["Access-Control-Allow-Methods"], "OPTIONS, GET")
self.assertEqual(r["Vary"], "Origin")

@override_settings(ALLOW_PRIVATE_REPOS=True)
def test_cors_headers_public_version_allow_private_repositories(self):
fixture.get(
Version,
project=self.project,
slug="111",
active=True,
privacy_level=PUBLIC,
type=EXTERNAL,
)

r = self.client.get(
"/en/111/",
secure=True,
headers={"host": "project--111.dev.readthedocs.build"},
)
self.assertEqual(r.status_code, 200)
self.assertIsNone(r.get("Access-Control-Allow-Origin"))
self.assertIsNone(r.get("Access-Control-Allow-Methods"))

@override_settings(ALLOW_PRIVATE_REPOS=False)
def test_cache_headers_public_version_with_private_projects_not_allowed(self):
Expand Down