Skip preflight:

coder · Emyrk · Jun 6, 2023 · May 31, 2023 · May 31, 2023 · May 31, 2023
commit d85635cdbd81e5340b4d03bcf0a941feda078760
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -833,10 +833,7 @@ func New(options *Options) *API {
 	// This is the only route we add before all the middleware.
 	// We want to time the latency of the request, so any middleware will
 	// interfere with that timing.
-	rootRouter.Route("/latency-check", func(r chi.Router) {
-		r.Use(tracing.StatusWriterMiddleware, prometheusMW, cors)
-		r.Get("/", LatencyCheck(options.DeploymentValues.Dangerous.AllowAllCors.Value(), api.AccessURL))
-	})
+	rootRouter.Get("/latency-check", tracing.StatusWriterMiddleware(prometheusMW(LatencyCheck())).ServeHTTP)
 	rootRouter.Mount("/", r)
 	api.RootHandler = rootRouter
 

diff --git a/coderd/latencycheck.go b/coderd/latencycheck.go
@@ -2,31 +2,24 @@ package coderd
 
 import (
 	"net/http"
-	"net/url"
-	"strings"
 )
 
 // LatencyCheck is an endpoint for the web ui to measure latency with.
 // allowAll allows any Origin to get timing information. The allowAll should
 // only be set in dev modes.
 //
 //nolint:revive
-func LatencyCheck(allowAll bool, allowedOrigins ...*url.URL) http.HandlerFunc {
-	allowed := make([]string, 0, len(allowedOrigins))
-	for _, origin := range allowedOrigins {
-		// Allow the origin without a path
-		tmp := *origin
-		tmp.Path = ""
-		allowed = append(allowed, strings.TrimSuffix(origin.String(), "/"))
-	}
-	if allowAll {
-		allowed = append(allowed, "*")
-	}
-	origins := strings.Join(allowed, ",")
+func LatencyCheck() http.HandlerFunc {
 	return func(rw http.ResponseWriter, r *http.Request) {
 		// Allowing timing information to be shared. This allows the browser
 		// to exclude TLS handshake timing.
-		rw.Header().Set("Timing-Allow-Origin", origins)
+		rw.Header().Set("Timing-Allow-Origin", "*")
+		// Always allow all CORs on this route.
+		rw.Header().Set("Access-Control-Allow-Origin", "*")
+		rw.Header().Set("Access-Control-Allow-Headers", "*")
+		rw.Header().Set("Access-Control-Allow-Credentials", "false")
+		rw.Header().Set("Access-Control-Allow-Methods", "*")
 		rw.WriteHeader(http.StatusOK)
+		_, _ = rw.Write([]byte("OK"))
 	}
 }
diff --git a/enterprise/wsproxy/wsproxy.go b/enterprise/wsproxy/wsproxy.go
@@ -259,10 +259,7 @@ func New(ctx context.Context, opts *Options) (*Server, error) {
 	// See coderd/coderd.go for why we need this.
 	rootRouter := chi.NewRouter()
 	// Make sure to add the cors middleware to the latency check route.
-	rootRouter.Route("/latency-check", func(r chi.Router) {
-		r.Use(tracing.StatusWriterMiddleware, prometheusMW, corsMW)
-		r.Get("/", coderd.LatencyCheck(opts.AllowAllCors, s.DashboardURL, s.AppServer.AccessURL))
-	})
+	rootRouter.Get("/latency-check", tracing.StatusWriterMiddleware(prometheusMW(coderd.LatencyCheck())).ServeHTTP)
 	rootRouter.Mount("/", r)
 	s.Handler = rootRouter
 

@@ -128,9 +128,6 @@ export const useProxyLatency = (
     const proxyRequests = Object.keys(proxyChecks).map((latencyURL) => {
       return axios.get(latencyURL, {
         withCredentials: false,
-        // Must add a custom header to make the request not a "simple request"
-        // https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
-        headers: { "X-LATENCY-CHECK": "true" },
       })
     })