Add CORS allowed origins config override to app host #6250
Conversation
JamesNK
added
the
area-app-model
|
This is a feature.... |
Because it is a new config setting? IMO it's a bug fix for scenarios where browser telemetry feature doesn't work. If it doesn't meet the bar then it can be moved to post 9.0. |
JamesNK
added
NO-MERGE
JamesNK
force-pushed
the
jamesnk/add-apphost-cors-config-override
branch
from
fbf7f87 to
2e64ef9
Compare
|
@mitchdenny Can you take a look? The changes are all in the app host. |
|
Implementations wise I have no problem with this. The only thing that gives me pause is whether it might be better to have some kind of mechanism to add to the computed origins list rather than completely replacing it. That said, I think that given this only impacts the OTLP endpoint means its probably not much of a security concern. After all most telemetry endpoints are fairly permissive anyway and this is still just locally bound. We should probably mention this in the threat model? |
I think it is simplest to understand if it is a replace. That means setting If it turns out we want a third option we could look at that as a different setting.
Sure |
Description
The dashboard supports OTLP HTTP and CORS to get telemetry from browser apps. CORS allowed origins are automatically calculated based on resource endpoints.
However, there are some scenarios where automatic CORS endpoints don't work:
These origins aren't automatically added and so sending telemetry fails.
The fix in this PR is to add manual dashboard CORS configuration to the app host. When the dashboard resource is configured, the app host manual configuration is simply forwarded to the dashboard. If there is no dashboard configuration then the existing logic is used.
Fixes #6249
Fixes customer bug with existing feature.
Intended for 9.0.Checklist
<remarks />and<code />elements on your triple slash comments?Microsoft Reviewers: Open in CodeFlow