Adding an app setting to allow CORS configuration (#9846)

Author: soninaren

release_notes.md

@@ -13,3 +13,4 @@
     - Customers can opt-out of this behavior by setting `SendCanceledInvocationsToWorker` to `false` in host.json
   - If a worker does not support CancellationTokens, cancelled invocations will not be sent to the worker
 - Warn when `FUNCTIONS_WORKER_RUNTIME` is not set (#9799)
+- Add an app setting to allow CORS configuration (#9846)

src/WebJobs.Script.WebHost/Configuration/CorsOptionsSetup.cs

@@ -2,9 +2,7 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using System;
-using System.Collections.Generic;
 using System.Linq;
-using System.Threading.Tasks;
 using Microsoft.AspNetCore.Cors.Infrastructure;
 using Microsoft.Extensions.Options;
 
@@ -23,7 +21,7 @@ public CorsOptionsSetup(IEnvironment env, IOptions<HostCorsOptions> hostCorsOpti
 
         public void Configure(CorsOptions options)
         {
-            if (_env.IsAnyLinuxConsumption())
+            if (_env.IsAnyLinuxConsumption() || _env.IsCorsConfigurationEnabled())
             {
                 string[] allowedOrigins = _hostCorsOptions.Value.AllowedOrigins?.ToArray() ?? Array.Empty<string>();
                 var policyBuilder = new CorsPolicyBuilder(allowedOrigins);

src/WebJobs.Script.WebHost/WebScriptHostBuilderExtension.cs

@@ -3,6 +3,7 @@
 
 using System;
 using System.Net.Http;
+using System.Runtime.InteropServices;
 using Microsoft.AspNetCore.Mvc.ApplicationParts;
 using Microsoft.Azure.WebJobs.Host.Config;
 using Microsoft.Azure.WebJobs.Host.Executors;
@@ -125,11 +126,17 @@ public static IHostBuilder AddWebScriptHost(this IHostBuilder builder, IServiceP
                     services.TryAddSingleton<IJobHostMiddlewarePipeline, DefaultMiddlewarePipeline>();
                     services.TryAddEnumerable(ServiceDescriptor.Singleton<IJobHostHttpMiddleware, CustomHttpHeadersMiddleware>());
                     services.TryAddEnumerable(ServiceDescriptor.Singleton<IJobHostHttpMiddleware, HstsConfigurationMiddleware>());
-                    if (environment.IsAnyLinuxConsumption())
+
+                    bool isAnyLinuxConsumption = environment.IsAnyLinuxConsumption();
+
+                    if (isAnyLinuxConsumption || environment.IsCorsConfigurationEnabled())
                     {
                         services.AddSingleton<ICorsMiddlewareFactory, CorsMiddlewareFactory>();
                         services.TryAddEnumerable(ServiceDescriptor.Singleton<IJobHostHttpMiddleware, JobHostCorsMiddleware>());
+                    }
 
+                    if (isAnyLinuxConsumption)
+                    {
                         // EasyAuth must go after CORS, as CORS preflight requests can happen before authentication
                         services.TryAddEnumerable(ServiceDescriptor.Singleton<IJobHostHttpMiddleware, JobHostEasyAuthMiddleware>());
                     }

src/WebJobs.Script/Environment/EnvironmentExtensions.cs

@@ -165,6 +165,11 @@ public static bool IsContainer(this IEnvironment environment)
                 && runningInContainerValue;
         }
 
+        public static bool IsCorsConfigurationEnabled(this IEnvironment environment)
+        {
+            return environment.GetEnvironmentVariable(EnableCorsConfiguration) == "1";
+        }
+
         public static bool IsPersistentFileSystemAvailable(this IEnvironment environment)
         {
             return environment.IsWindowsAzureManagedHosting()

src/WebJobs.Script/Environment/EnvironmentSettingNames.cs

@@ -113,6 +113,7 @@ public static class EnvironmentSettingNames
         public const string LinuxAzureAppServiceStorage = "WEBSITES_ENABLE_APP_SERVICE_STORAGE";
         public const string CoreToolsEnvironment = "FUNCTIONS_CORETOOLS_ENVIRONMENT";
         public const string RunningInContainer = "DOTNET_RUNNING_IN_CONTAINER";
+        public const string EnableCorsConfiguration = "FUNCTIONS_ENABLE_CORS_CONFIGURATION";
 
         public const string ExtensionBundleSourceUri = "FUNCTIONS_EXTENSIONBUNDLE_SOURCE_URI";
 

test/WebJobs.Script.Tests/Middleware/CorsConfigurationMiddlewareTests.cs

@@ -54,12 +54,14 @@ public async Task Invoke_HasCorsConfig_InvokesNext()
             Assert.True(nextInvoked);
         }
 
-        [Fact]
-        public async Task Invoke_OriginAllowed_AddsExpectedHeaders()
+        [Theory]
+        [InlineData(EnvironmentSettingNames.ContainerName, "foo")]
+        [InlineData(EnvironmentSettingNames.EnableCorsConfiguration, "1")]
+        public async Task Invoke_OriginAllowed_AddsExpectedHeaders(string appSettingName, string appSettingValue)
         {
             var envars = new Dictionary<string, string>()
             {
-                { EnvironmentSettingNames.ContainerName, "foo" },
+                { appSettingName, appSettingValue }
             };
             var testEnv = new TestEnvironment(envars);
             var testOrigin = "https://functions.azure.com";
@@ -107,12 +109,14 @@ public async Task Invoke_OriginAllowed_AddsExpectedHeaders()
             Assert.Equal("true", allowCredsHeaderValues.FirstOrDefault());
         }
 
-        [Fact]
-        public async Task Invoke_OriginNotAllowed_DoesNotAddHeaders()
+        [Theory]
+        [InlineData(EnvironmentSettingNames.ContainerName, "foo")]
+        [InlineData(EnvironmentSettingNames.EnableCorsConfiguration, "1")]
+        public async Task Invoke_OriginNotAllowed_DoesNotAddHeaders(string appSettingName, string appSettingValue)
         {
             var envars = new Dictionary<string, string>()
             {
-                { EnvironmentSettingNames.ContainerName, "foo" },
+                { appSettingName, appSettingValue }
             };
             var testEnv = new TestEnvironment(envars);
             var badOrigin = "http://badorigin.com";
@@ -161,12 +165,14 @@ public async Task Invoke_OriginNotAllowed_DoesNotAddHeaders()
             Assert.False(response.Headers.TryGetValues("Access-Control-Allow-Methods", out allowMethods));
         }
 
-        [Fact]
-        public async Task Invoke_Adds_AccessControlAllowMethods()
+        [Theory]
+        [InlineData(EnvironmentSettingNames.ContainerName, "foo")]
+        [InlineData(EnvironmentSettingNames.EnableCorsConfiguration, "1")]
+        public async Task Invoke_Adds_AccessControlAllowMethods(string appSettingName, string appSettingValue)
         {
             var envars = new Dictionary<string, string>()
             {
-                { EnvironmentSettingNames.ContainerName, "foo" },
+                { appSettingName, appSettingValue }
             };
             var testEnv = new TestEnvironment(envars);
             var testOrigin = "https://functions.azure.com";