Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configuring Access-Control-Allow-Origin header #535

Open
2 tasks done
PhilGrayson-flutterint opened this issue Sep 2, 2024 · 1 comment
Open
2 tasks done

Allow configuring Access-Control-Allow-Origin header #535

PhilGrayson-flutterint opened this issue Sep 2, 2024 · 1 comment
Labels
area/auth App authentication related issues good first issue Up for grabs scope/backend Related to backend changes status/triage/completed Automatic triage completed type/enhancement En enhancement/improvement to an already existing feature

Comments

@PhilGrayson-flutterint
Copy link

PhilGrayson-flutterint commented Sep 2, 2024
edited
Loading

Issue submitter TODO list

  • I've searched for an already existing issues here
  • I'm running a supported version of the application which is listed here and the feature is not present there

Is your proposal related to a problem?

No response

Describe the feature you're interested in

I'd like to be define a custom Access-Control-Allow-Origin header value, in order to restrict other websites from accessing my deployment of Kafka-UI APIs.

The header value is currently hardcoded to * in CorsGlobalConfiguration.java.

It'll be nice if this was configurable via spring properties.

Describe alternatives you've considered

I considered mutating the header at the load balancer level. Unfortunately, I'm using an AWS ALB load balancer and I don't think this feature is supported. At least, not via the Kubernetes ALB ingress controller.

Kafka-UI with oauth2 does prevent cross-origin requests because;

  • Kafka-UI redirects unauthenticated requests to the oauth2 auth provider
    AND
  • Browsers do not send authentication details cross-origin because Access-Control-Allow-Credentials header is not set

But as a defense-in-depth approach, it would still be good to control the value of Access-Control-Allow-Origin header.

Version you're running

8c70126

Additional context

No response
@PhilGrayson-flutterint PhilGrayson-flutterint added status/triage Issues pending maintainers triage type/feature A brand new feature labels Sep 2, 2024
@kapybro kapybro bot added status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Sep 2, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 2, 2024

Hi PhilGrayson-flutterint! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

@Haarolean Haarolean added good first issue Up for grabs type/enhancement En enhancement/improvement to an already existing feature scope/backend Related to backend changes area/auth App authentication related issues and removed type/feature A brand new feature status/triage/manual Manual triage in progress labels Sep 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/auth App authentication related issues good first issue Up for grabs scope/backend Related to backend changes status/triage/completed Automatic triage completed type/enhancement En enhancement/improvement to an already existing feature
Projects
Up for grabs
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Haarolean @PhilGrayson-flutterint