Allow for the configuration of Access-Control-Allow-Origin

dekobon · dekobon · commit 1828f68e8f0d · 2022-12-14T13:10:44.000-08:00
Signed-off-by: Elijah Zupancic &lt;e.zupancic@f5.com&gt;
diff --git a/common/docker-entrypoint.sh b/common/docker-entrypoint.sh
@@ -50,6 +50,10 @@ else
   export LIMIT_METHODS_TO_CSV="GET, HEAD"
 fi
 
+if [ -z "${CORS_ALLOWED_ORIGIN+x}" ]; then
+  export CORS_ALLOWED_ORIGIN="*"
+fi
+
 # Nothing is modified under this line
 
 if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
diff --git a/common/etc/nginx/templates/gateway/cors.conf.template b/common/etc/nginx/templates/gateway/cors.conf.template
@@ -1,7 +1,7 @@
 set $request_cors "${request_method}_${CORS_ENABLED}";
 
 if ($request_cors = "OPTIONS_1") {
-    add_header 'Access-Control-Allow-Origin' '*';
+    add_header 'Access-Control-Allow-Origin' '${CORS_ALLOWED_ORIGIN}';
     add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
     #
     # Custom headers and headers various browsers *should* be OK with but aren't
@@ -17,14 +17,14 @@ if ($request_cors = "OPTIONS_1") {
 }
 
 if ($request_cors = "GET_1") {
-    add_header 'Access-Control-Allow-Origin' '*' always;
+    add_header 'Access-Control-Allow-Origin' '${CORS_ALLOWED_ORIGIN}' always;
     add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
     add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
     add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
 }
 
 if ($request_cors = "HEAD_1") {
-    add_header 'Access-Control-Allow-Origin' '*' always;
+    add_header 'Access-Control-Allow-Origin' '${CORS_ALLOWED_ORIGIN}' always;
     add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
     add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
     add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
diff --git a/docs/getting_started.md b/docs/getting_started.md
@@ -45,6 +45,9 @@ running as a Container or as a Systemd service.
   [this example](https://enable-cors.org/server_nginx.html).
   CORS settings can be fine-tuned by overwriting the 
   [`cors.conf.template`](/common/etc/nginx/templates/gateway/cors.conf.template) file. (default: false)
+* `CORS_ALLOWED_ORIGIN` - (optional) value to set to be returned from the
+  CORS `Access-Control-Allow-Origin` header. This value is only used if 
+  CORS is enabled. (default: *)
 
 If you are using [AWS instance profile credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html),
 you will need to omit the `S3_ACCESS_KEY_ID` and `S3_SECRET_KEY` variables from
