From dfec519b260912a90a55a1457f625ad9944075d1 Mon Sep 17 00:00:00 2001 From: Asher Date: Fri, 9 Jun 2023 12:11:18 -0800 Subject: [PATCH 1/3] docs: document CORS behavior --- docs/networking/port-forwarding.md | 105 +++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) diff --git a/docs/networking/port-forwarding.md b/docs/networking/port-forwarding.md index a5ae27a6e1671..ff4673a5ed712 100644 --- a/docs/networking/port-forwarding.md +++ b/docs/networking/port-forwarding.md @@ -94,3 +94,108 @@ ssh -L 8080:localhost:8000 coder.myworkspace ``` You can read more on SSH port forwarding [here](https://www.ssh.com/academy/ssh/tunneling/example). + +## Cross-origin resource sharing (CORS) + +Coder automatically sets headers that allow requests between separately +forwarded applications belonging to the same user. + +### Authentication + +Since forwarded ports are private, cross-origin requests must include +credentials (set `credentials: "include"` if using `fetch`) or the requests +cannot be authenticated and you will see an error resembling the following: + +> Access to fetch at 'https://dev.coder.com/api/v2/applications/auth-redirect' from origin 'https://8000--dev--user--apps.dev.coder.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. + +### Headers + +Below is a list of the cross-origin headers Coder sets with example values: + +``` +access-control-allow-credentials: true +access-control-allow-methods: PUT +access-control-allow-headers: X-Custom-Header +access-control-allow-origin: https://8000--dev--user--apps.dev.coder.com +vary: Origin +vary: Access-Control-Request-Method +vary: Access-Control-Request-Headers +``` + +The allowed origin will be set to the origin provided by the browser if the +users are identical. Credentials are allowed and the allowed methods and headers +will echo whatever the request sends. + +### Configuration + +These cross-origin headers are not configurable by administrative settings. + +Applications can set their own headers which will override the defaults but this +will only apply to non-preflight requests. Preflight requests are never sent to +applications and thus cannot be modified by them. Read more about the difference +between simple requests and requests that trigger preflights +[here](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests). + +### Allowed by default + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FromAliceBob
Workspace 1Workspace 2Workspace 3
ToApp AApp BApp CApp D
AliceWorkspace 1App A**
App B✅**
Workspace 2App C**
BobWorkspace 3App D
+ +> '\*' means `credentials: "include"` is required From 9a80fe34eba284d099a61939c5b472872c482d60 Mon Sep 17 00:00:00 2001 From: Asher Date: Fri, 9 Jun 2023 12:48:35 -0800 Subject: [PATCH 2/3] docs: move CORS documentation under dashboard section None of this applies to ports forwarded in other ways. --- docs/networking/port-forwarding.md | 52 +++++++++++++++++------------- 1 file changed, 29 insertions(+), 23 deletions(-) diff --git a/docs/networking/port-forwarding.md b/docs/networking/port-forwarding.md index ff4673a5ed712..50d61c52736df 100644 --- a/docs/networking/port-forwarding.md +++ b/docs/networking/port-forwarding.md @@ -84,31 +84,25 @@ Valid `share` values include `owner` - private to the user, `authenticated` - ac ![Port forwarding from an app in the UI](../images/coderapp-port-forward.png) -## SSH +### Cross-origin resource sharing (CORS) -First, [configure SSH](../ides.md#ssh-configuration) on your -local machine. Then, use `ssh` to forward like so: +When forwarding via the dashboard, Coder automatically sets headers that allow +requests between separately forwarded applications belonging to the same user. -```console -ssh -L 8080:localhost:8000 coder.myworkspace -``` +When forwarding through other methods the application itself will need to set +its own CORS headers if they are being forwarded through different origins since +Coder does not intercept these cases. See below for the required headers. -You can read more on SSH port forwarding [here](https://www.ssh.com/academy/ssh/tunneling/example). - -## Cross-origin resource sharing (CORS) - -Coder automatically sets headers that allow requests between separately -forwarded applications belonging to the same user. +#### Authentication -### Authentication - -Since forwarded ports are private, cross-origin requests must include -credentials (set `credentials: "include"` if using `fetch`) or the requests -cannot be authenticated and you will see an error resembling the following: +Since ports forwarded through the dashboard are private, cross-origin requests +must include credentials (set `credentials: "include"` if using `fetch`) or the +requests cannot be authenticated and you will see an error resembling the +following: > Access to fetch at 'https://dev.coder.com/api/v2/applications/auth-redirect' from origin 'https://8000--dev--user--apps.dev.coder.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. -### Headers +#### Headers Below is a list of the cross-origin headers Coder sets with example values: @@ -126,17 +120,18 @@ The allowed origin will be set to the origin provided by the browser if the users are identical. Credentials are allowed and the allowed methods and headers will echo whatever the request sends. -### Configuration +#### Configuration These cross-origin headers are not configurable by administrative settings. Applications can set their own headers which will override the defaults but this -will only apply to non-preflight requests. Preflight requests are never sent to -applications and thus cannot be modified by them. Read more about the difference -between simple requests and requests that trigger preflights +will only apply to non-preflight requests. Preflight requests through the +dashboard are never sent to applications and thus cannot be modified by +them. Read more about the difference between simple requests and requests that +trigger preflights [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests). -### Allowed by default +#### Allowed by default @@ -199,3 +194,14 @@ between simple requests and requests that trigger preflights
> '\*' means `credentials: "include"` is required + +## SSH + +First, [configure SSH](../ides.md#ssh-configuration) on your +local machine. Then, use `ssh` to forward like so: + +```console +ssh -L 8080:localhost:8000 coder.myworkspace +``` + +You can read more on SSH port forwarding [here](https://www.ssh.com/academy/ssh/tunneling/example). From 289f059ef33fdca13951ad345c74f71197a2be94 Mon Sep 17 00:00:00 2001 From: Ben Date: Mon, 12 Jun 2023 20:56:35 +0000 Subject: [PATCH 3/3] attempt to fix ci with empty commit