environmentd: allow widening CORS allowlist via system variable#37621
Draft
jubrad wants to merge 1 commit into
Draft
environmentd: allow widening CORS allowlist via system variable#37621jubrad wants to merge 1 commit into
jubrad wants to merge 1 commit into
Conversation
28180a8 to
cb12ac4
Compare
Add the http_additional_cors_allowed_origins system variable (superuser settable). Origins listed there (comma-separated, same syntax as --cors-allowed-origin) are allowed for CORS in addition to the origins provided at startup. The variable can only widen the allowlist: startup origins can never be removed through it. The variable value reaches the HTTP servers the same way connection limits do: the coordinator registers a system variable callback that writes the parsed origins into a shared handle the CORS predicate reads on every origin check, so ALTER SYSTEM SET takes effect without a restart. A domain constraint rejects origins that are not valid header values at SET time. The MCP server-side Origin check (DNS rebinding defense) honors the same union. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
cb12ac4 to
2e60a7f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
The HTTP API CORS allowlist is fixed at startup via
--cors-allowed-origin. Adding an origin (e.g. a new console deployment or a customer-facing tool) requires an environment restart. This adds a way to extend the allowlist at runtime.Description
Adds the
http_additional_cors_allowed_originssystem variable (comma-separated list, default empty), settable by superusers:Takes effect on the next request, no restart. Entries use the same syntax as the CLI flag: exact origin, wildcard subdomain (
*.example.com), or bare*.The variable is checked as a union with the startup list, so it can only widen the allowlist. Origins provided via
--cors-allowed-origin(needed to manage Materialize) can never be removed or overridden through the variable.Implementation, following the
max_connectionsplumbing pattern:HTTP_ADDITIONAL_CORS_ALLOWED_ORIGINSis a regularVarDefinition(user visible, added touser_modifiablelikenetwork_policy). ACorsOriginListdomain constraint rejects entries that are not valid header values at SET time.connection_limit_callback) that hands the raw value to environmentd via the newmz_adapter::Config::additional_cors_origins_callback. environmentd parses it and writes the origins into a sharedArc<RwLock<Vec<HeaderValue>>>.AllowedOriginsinenvironmentd::httpholds the startup list plus that shared handle and backs anAllowOrigin::predicatefor bothCorsLayers (base router and MCP router).AllowOriginis dropped fromServeConfig/HttpConfig, the raw origin list is now the single source of truth. Newmz_http_util::parse_origin_listhelper.One minor behavior change: a bare
*in the CLI list previously producedAllowOrigin::any()(a literal*response header), it now mirrors the request origin. Equivalent for browsers.Tests:
test_parse_origin_list(mz-http-util),cors_origins_var_user_settable(mz-sql, superuser can see and modify the var), extendedtest_validate_origin(mz-environmentd, origins added through the shared handle take effect dynamically).SHOW ALLoutput intest/testdrive/session.tdupdated for the new user-visible variable.Tips for reviewer
CORS preflights always return 200, denial is the absence of the
access-control-allow-originresponse header. CORS is a browser-side control, the only server-side origin rejection (403) is on the MCP endpoints.Checklist
T-protolabel.🤖 Generated with Claude Code