-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor CORS handler (#28587) #28611
Conversation
The CORS code has been unmaintained for long time, and the behavior is not correct. This PR tries to improve it. The key point is written as comment in code. And add more tests. Fix go-gitea#28515 Fix go-gitea#27642 Fix go-gitea#17098 # Conflicts: # tests/integration/cors_test.go
;; scheme of allowed requests | ||
;SCHEME = http | ||
;; | ||
;; list of requesting domains that are allowed | ||
;; list of requesting origins that are allowed, eg: "https://*.example.com" | ||
;ALLOW_DOMAIN = * | ||
;; | ||
;; allow subdomains of headers listed above to request | ||
;ALLOW_SUBDOMAIN = false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not really a fan of backporting config "changes" as that's unexpected in a minor version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nevertheless, I think we should also add one of these config <x> is no longer used
warnings for these two (at best in main, and then backport to 1.21 as well).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not really a fan of backporting config "changes" as that's unexpected in a minor version.
It's not "changes", but it's "bug fix", because these options have been no-op for long time, keeping them would only mislead users but don't bring any real benefit.
Nevertheless, I think we should also add one of these
config <x> is no longer used
warnings for these two (at best in main, and then backport to 1.21 as well).
I think it should be handled by the config framework automatically in the future, to help users to find their low-level mistakes. At this moment, I don't like adding them one by one manually.
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [docker.io/gitea/gitea](https://github.com/go-gitea/gitea) | patch | `1.21.3` -> `1.21.4` | --- ### Release Notes <details> <summary>go-gitea/gitea (docker.io/gitea/gitea)</summary> ### [`v1.21.4`](https://github.com/go-gitea/gitea/releases/tag/v1.21.4) [Compare Source](go-gitea/gitea@v1.21.3...v1.21.4) - SECURITY - Update github.com/cloudflare/circl ([#​28789](go-gitea/gitea#28789)) ([#​28790](go-gitea/gitea#28790)) - Require token for GET subscription endpoint ([#​28765](go-gitea/gitea#28765)) ([#​28768](go-gitea/gitea#28768)) - BUGFIXES - Use refname:strip-2 instead of refname:short when syncing tags ([#​28797](go-gitea/gitea#28797)) ([#​28811](go-gitea/gitea#28811)) - Fix links in issue card ([#​28806](go-gitea/gitea#28806)) ([#​28807](go-gitea/gitea#28807)) - Fix nil pointer panic when exec some gitea cli command ([#​28791](go-gitea/gitea#28791)) ([#​28795](go-gitea/gitea#28795)) - Require token for GET subscription endpoint ([#​28765](go-gitea/gitea#28765)) ([#​28778](go-gitea/gitea#28778)) - Fix button size in "attached header right" ([#​28770](go-gitea/gitea#28770)) ([#​28774](go-gitea/gitea#28774)) - Fix `convert.ToTeams` on empty input ([#​28426](go-gitea/gitea#28426)) ([#​28767](go-gitea/gitea#28767)) - Hide code related setting options in repository when code unit is disabled ([#​28631](go-gitea/gitea#28631)) ([#​28749](go-gitea/gitea#28749)) - Fix incorrect URL for "Reference in New Issue" ([#​28716](go-gitea/gitea#28716)) ([#​28723](go-gitea/gitea#28723)) - Fix panic when parsing empty pgsql host ([#​28708](go-gitea/gitea#28708)) ([#​28709](go-gitea/gitea#28709)) - Upgrade xorm to new version which supported update join for all supported databases ([#​28590](go-gitea/gitea#28590)) ([#​28668](go-gitea/gitea#28668)) - Fix alpine package files are not rebuilt ([#​28638](go-gitea/gitea#28638)) ([#​28665](go-gitea/gitea#28665)) - Avoid cycle-redirecting user/login page ([#​28636](go-gitea/gitea#28636)) ([#​28658](go-gitea/gitea#28658)) - Fix empty ref for cron workflow runs ([#​28640](go-gitea/gitea#28640)) ([#​28647](go-gitea/gitea#28647)) - Remove unnecessary syncbranchToDB with tests ([#​28624](go-gitea/gitea#28624)) ([#​28629](go-gitea/gitea#28629)) - Use known issue IID to generate new PR index number when migrating from GitLab ([#​28616](go-gitea/gitea#28616)) ([#​28618](go-gitea/gitea#28618)) - Fix flex container width ([#​28603](go-gitea/gitea#28603)) ([#​28605](go-gitea/gitea#28605)) - Fix the scroll behavior for emoji/mention list ([#​28597](go-gitea/gitea#28597)) ([#​28601](go-gitea/gitea#28601)) - Fix wrong due date rendering in issue list page ([#​28588](go-gitea/gitea#28588)) ([#​28591](go-gitea/gitea#28591)) - Fix `status_check_contexts` matching bug ([#​28582](go-gitea/gitea#28582)) ([#​28589](go-gitea/gitea#28589)) - Fix 500 error of searching commits ([#​28576](go-gitea/gitea#28576)) ([#​28579](go-gitea/gitea#28579)) - Use information from previous blame parts ([#​28572](go-gitea/gitea#28572)) ([#​28577](go-gitea/gitea#28577)) - Update mermaid for 1.21 ([#​28571](go-gitea/gitea#28571)) - Fix 405 method not allowed CORS / OIDC ([#​28583](go-gitea/gitea#28583)) ([#​28586](go-gitea/gitea#28586)) ([#​28587](go-gitea/gitea#28587)) ([#​28611](go-gitea/gitea#28611)) - Fix `GetCommitStatuses` ([#​28787](go-gitea/gitea#28787)) ([#​28804](go-gitea/gitea#28804)) - Forbid removing the last admin user ([#​28337](go-gitea/gitea#28337)) ([#​28793](go-gitea/gitea#28793)) - Fix schedule tasks bugs ([#​28691](go-gitea/gitea#28691)) ([#​28780](go-gitea/gitea#28780)) - Fix issue dependencies ([#​27736](go-gitea/gitea#27736)) ([#​28776](go-gitea/gitea#28776)) - Fix system webhooks API bug ([#​28531](go-gitea/gitea#28531)) ([#​28666](go-gitea/gitea#28666)) - Fix when private user following user, private user will not be counted in his own view ([#​28037](go-gitea/gitea#28037)) ([#​28792](go-gitea/gitea#28792)) - Render code block in activity tab ([#​28816](go-gitea/gitea#28816)) ([#​28818](go-gitea/gitea#28818)) - ENHANCEMENTS - Rework markup link rendering ([#​26745](go-gitea/gitea#26745)) ([#​28803](go-gitea/gitea#28803)) - Modernize merge button ([#​28140](go-gitea/gitea#28140)) ([#​28786](go-gitea/gitea#28786)) - Speed up loading the dashboard on mysql/mariadb ([#​28546](go-gitea/gitea#28546)) ([#​28784](go-gitea/gitea#28784)) - Assign pull request to project during creation ([#​28227](go-gitea/gitea#28227)) ([#​28775](go-gitea/gitea#28775)) - Show description as tooltip instead of title for labels ([#​28754](go-gitea/gitea#28754)) ([#​28766](go-gitea/gitea#28766)) - Make template `DateTime` show proper tooltip ([#​28677](go-gitea/gitea#28677)) ([#​28683](go-gitea/gitea#28683)) - Switch destination directory for apt signing keys ([#​28639](go-gitea/gitea#28639)) ([#​28642](go-gitea/gitea#28642)) - Include heap pprof in diagnosis report to help debugging memory leaks ([#​28596](go-gitea/gitea#28596)) ([#​28599](go-gitea/gitea#28599)) - DOCS - Suggest to use Type=simple for systemd service ([#​28717](go-gitea/gitea#28717)) ([#​28722](go-gitea/gitea#28722)) - Extend description for ARTIFACT_RETENTION_DAYS ([#​28626](go-gitea/gitea#28626)) ([#​28630](go-gitea/gitea#28630)) - MISC - Add -F to commit search to treat keywords as strings ([#​28744](go-gitea/gitea#28744)) ([#​28748](go-gitea/gitea#28748)) - Add download attribute to release attachments ([#​28739](go-gitea/gitea#28739)) ([#​28740](go-gitea/gitea#28740)) - Concatenate error in `checkIfPRContentChanged` ([#​28731](go-gitea/gitea#28731)) ([#​28737](go-gitea/gitea#28737)) - Improve 1.21 document for Database Preparation ([#​28643](go-gitea/gitea#28643)) ([#​28644](go-gitea/gitea#28644)) Instances on **[Gitea Cloud](https://cloud.gitea.com)** will be automatically upgraded to this version during the specified maintenance window. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMzIuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEzMi4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Reviewed-on: https://git.home/nrdufour/home-ops/pulls/316 Co-authored-by: Renovate <renovate@ptinem.io> Co-committed-by: Renovate <renovate@ptinem.io>
Backport #28587, the only conflict is the test file.
The CORS code has been unmaintained for long time, and the behavior is not correct.
This PR tries to improve it. The key point is written as comment in code. And add more tests.
Fix #28515
Fix #27642
Fix #17098