chore: Allow cors requests to workspace proxies for latency checks (coder#7484)

Emyrk · pull[bot] · commit 8917ae84db32 · 2024-03-05T14:05:24.000Z
* CSP addition for web requests
* chore: Add cors to workspace proxies to allow for latency checks
diff --git a/coderd/httpmw/csp.go b/coderd/httpmw/csp.go
@@ -104,6 +104,8 @@ func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Han
 			if len(extraConnect) > 0 {
 				for _, extraHost := range extraConnect {
 					cspSrcs.Append(cspDirectiveConnectSrc, fmt.Sprintf("wss://%[1]s ws://%[1]s", extraHost))
+					// We also require this to make http/https requests to the workspace proxy for latency checking.
+					cspSrcs.Append(cspDirectiveConnectSrc, fmt.Sprintf("https://%[1]s http://%[1]s", extraHost))
 				}
 			}
 
diff --git a/enterprise/wsproxy/wsproxy.go b/enterprise/wsproxy/wsproxy.go
@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/cors"
 	"github.com/google/uuid"
 	"github.com/prometheus/client_golang/prometheus"
 	"go.opentelemetry.io/otel/trace"
@@ -197,6 +198,20 @@ func New(ctx context.Context, opts *Options) (*Server, error) {
 		httpmw.ExtractRealIP(s.Options.RealIPConfig),
 		httpmw.Logger(s.Logger),
 		httpmw.Prometheus(s.PrometheusRegistry),
+		// The primary coderd dashboard needs to make some GET requests to
+		// the workspace proxies to check latency.
+		cors.Handler(cors.Options{
+			AllowedOrigins: []string{
+				// Allow the dashboard to make requests to the proxy for latency
+				// checks.
+				opts.DashboardURL.String(),
+			},
+			// Only allow GET requests for latency checks.
+			AllowedMethods: []string{http.MethodGet},
+			AllowedHeaders: []string{"Accept", "Content-Type"},
+			// Do not send any cookies
+			AllowCredentials: false,
+		}),
 
 		// HandleSubdomain is a middleware that handles all requests to the
 		// subdomain-based workspace apps.
diff --git a/go.mod b/go.mod
@@ -174,7 +174,10 @@ require (
 	tailscale.com v1.32.2
 )
 
-require github.com/armon/go-radix v1.0.0 // indirect
+require (
+	github.com/armon/go-radix v1.0.0 // indirect
+	github.com/go-chi/cors v1.2.1 // indirect
+)
 
 require (
 	cloud.google.com/go/compute v1.18.0 // indirect
diff --git a/go.sum b/go.sum
@@ -599,6 +599,8 @@ github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
 github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
 github.com/go-chi/chi/v5 v5.0.7 h1:rDTPXLDHGATaeHvVlLcR4Qe0zftYethFucbjVQ1PxU8=
 github.com/go-chi/chi/v5 v5.0.7/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
+github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-chi/httprate v0.7.1 h1:d5kXARdms2PREQfU4pHvq44S6hJ1hPu4OXLeBKmCKWs=
 github.com/go-chi/httprate v0.7.1/go.mod h1:6GOYBSwnpra4CQfAKXu8sQZg+nZ0M1g9QnyFvxrAB8A=
 github.com/go-chi/render v1.0.1 h1:4/5tis2cKaNdnv9zFLfXzcquC9HbeZgCnxGnKrltBS8=

Original file line number	Diff line number	Diff line change
`@@ -104,6 +104,8 @@ func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Han`
`104`	`104`	`if len(extraConnect) > 0 {`
`105`	`105`	`for _, extraHost := range extraConnect {`
`106`	`106`	`cspSrcs.Append(cspDirectiveConnectSrc, fmt.Sprintf("wss://%[1]s ws://%[1]s", extraHost))`
	`107`	`+ // We also require this to make http/https requests to the workspace proxy for latency checking.`
	`108`	`+ cspSrcs.Append(cspDirectiveConnectSrc, fmt.Sprintf("https://%[1]s http://%[1]s", extraHost))`
`107`	`109`	`}`
`108`	`110`	`}`
`109`	`111`