http: add cors filtering#10106
Open
jherrera-jump wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds configurable CORS handling to Firedancer’s embedded HTTP server usage (GUI + metrics), including parsing the Origin request header, generating Access-Control-* response headers, and wiring an origin allowlist through config → topology → tiles.
Changes:
- Add CORS origin allowlist constants/util (
fd_http_cors_match_origin) and parse theOriginrequest header in the HTTP server. - Add per-tile
access_control_allow_originconfiguration fortiles.guiandtiles.metric, includingOPTIONSpreflight handling and emittingAllow/Vary: Origin. - Update HTTP server footprint assertions in tests and propagate new config fields through topology setup.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| src/waltz/http/test_http_server.c | Updates expected server footprint values due to added server state/headers. |
| src/waltz/http/fd_http.h | Introduces CORS allowlist sizing constants and an origin matching helper. |
| src/waltz/http/fd_http_server.h | Extends request/response structs with Origin and Allow header support. |
| src/waltz/http/fd_http_server.c | Parses Origin, emits Allow, and adds Vary: Origin for non-wildcard CORS. |
| src/disco/topo/fd_topo.h | Adds CORS allowlist storage to GUI + metrics tile config in topology. |
| src/disco/metrics/fd_metric_tile.c | Implements metrics CORS allowlisting and OPTIONS preflight responses. |
| src/disco/gui/fd_gui_tile.c | Implements GUI CORS allowlisting and OPTIONS preflight responses. |
| src/app/shared/fd_config.h | Adds CORS allowlist fields to config structs for GUI + metrics tiles. |
| src/app/shared/fd_config_parse.c | Parses new TOML array config into *_cnt + fixed-size arrays. |
| src/app/firedancer/topology.c | Copies parsed allowlists into tile topology structs for Firedancer. |
| src/app/firedancer/config/default.toml | Documents and adds default access_control_allow_origin = [] for tiles. |
| src/app/fdctl/topology.c | Copies parsed allowlists into tile topology structs for fdctl. |
| src/app/fdctl/config/default.toml | Documents and adds default access_control_allow_origin = [] for tiles. |
Comments suppressed due to low confidence (1)
src/disco/metrics/fd_metric_tile.c:96
- If an allowed Origin triggers a metrics request but staging the body fails, the 500 response should still carry Access-Control-Allow-Origin; otherwise browser clients can't read the error status due to CORS.
if( FD_UNLIKELY( fd_http_server_stage_body( ctx->metrics_server, &response ) ) ) {
FD_LOG_WARNING(( "fd_http_server_stage_body failed, metrics response too long" ));
return (fd_http_server_response_t){
.status = 500,
};
}
jherrera-jump
force-pushed
the
jherrera/http-cors-filter
branch
from
b3b4e8d to
5bf6689
Compare
jherrera-jump
force-pushed
the
jherrera/http-cors-filter
branch
from
5bf6689 to
2ca2535
Compare
jherrera-jump
force-pushed
the
jherrera/http-cors-filter
branch
2 times, most recently
from
64aa390 to
cd3870d
Compare
jherrera-jump
force-pushed
the
jherrera/http-cors-filter
branch
from
cd3870d to
1ab4703
Compare
jherrera-jump
force-pushed
the
jherrera/http-cors-filter
branch
from
1ab4703 to
e53676d
Compare
jherrera-jump
force-pushed
the
jherrera/http-cors-filter
branch
from
e53676d to
1710251
Compare
jherrera-jump
force-pushed
the
jherrera/http-cors-filter
branch
from
1710251 to
5a95d9d
Compare
Comment on lines
+1577
to
+1584
| <<<<<<< HEAD | ||
| tile->gui.cache_size_gib = config->firedancer.accounts.cache_size_gib; | ||
| tile->gui.accdb_obj_id = fd_pod_query_ulong( config->topo.props, "accdb", ULONG_MAX ); | ||
| FD_TEST( tile->gui.accdb_obj_id!=ULONG_MAX ); | ||
| ======= | ||
| tile->gui.access_control_allow_origin_cnt = config->tiles.gui.access_control_allow_origin_cnt; | ||
| fd_memcpy( tile->gui.access_control_allow_origin, config->tiles.gui.access_control_allow_origin, sizeof(tile->gui.access_control_allow_origin) ); | ||
| >>>>>>> e53676dcc1 (http: add cors filtering) |
jherrera-jump
force-pushed
the
jherrera/http-cors-filter
branch
from
5a95d9d to
b8c6657
Compare
| static fd_http_server_response_t | ||
| rpc_http_request1( fd_rpc_tile_t * ctx, | ||
| fd_http_server_request_t const * request ) { | ||
| char const * allow_origin = fd_http_cors_match_origin( ctx->cors_origin, ctx->cors_origin_cnt, request->headers.origin ); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds option to allow operators to enable CORS filtering. Disabled by default.