chore: Allow cors requests to workspace proxies for latency checks (#7484)

* CSP addition for web requests * chore: Add cors to workspace proxies to allow for latency checks
2023-05-10 12:19:55 -05:00 · 2023-05-10 12:19:55 -05:00 · 3f9af6f5e7
parent d17ea84b4a
commit 3f9af6f5e7
4 changed files with 23 additions and 1 deletions
--- a/coderd/httpmw/csp.go
+++ b/coderd/httpmw/csp.go
@ -104,6 +104,8 @@ func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Han
 			if len(extraConnect) > 0 {
 				for _, extraHost := range extraConnect {
 					cspSrcs.Append(cspDirectiveConnectSrc, fmt.Sprintf("wss://%[1]s ws://%[1]s", extraHost))
+					// We also require this to make http/https requests to the workspace proxy for latency checking.
+					cspSrcs.Append(cspDirectiveConnectSrc, fmt.Sprintf("https://%[1]s http://%[1]s", extraHost))
 				}
 			}

--- a/enterprise/wsproxy/wsproxy.go
+++ b/enterprise/wsproxy/wsproxy.go
@ -11,6 +11,7 @@ import (
 	"time"

 	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/cors"
 	"github.com/google/uuid"
 	"github.com/prometheus/client_golang/prometheus"
 	"go.opentelemetry.io/otel/trace"
@ -197,6 +198,20 @@ func New(ctx context.Context, opts *Options) (*Server, error) {
 		httpmw.ExtractRealIP(s.Options.RealIPConfig),
 		httpmw.Logger(s.Logger),
 		httpmw.Prometheus(s.PrometheusRegistry),
+		// The primary coderd dashboard needs to make some GET requests to
+		// the workspace proxies to check latency.
+		cors.Handler(cors.Options{
+			AllowedOrigins: []string{
+				// Allow the dashboard to make requests to the proxy for latency
+				// checks.
+				opts.DashboardURL.String(),
+			},
+			// Only allow GET requests for latency checks.
+			AllowedMethods: []string{http.MethodGet},
+			AllowedHeaders: []string{"Accept", "Content-Type"},
+			// Do not send any cookies
+			AllowCredentials: false,
+		}),

 		// HandleSubdomain is a middleware that handles all requests to the
 		// subdomain-based workspace apps.
--- a/go.mod
+++ b/go.mod
@ -174,7 +174,10 @@ require (
 	tailscale.com v1.32.2
 )

-require github.com/armon/go-radix v1.0.0 // indirect
+require (
+	github.com/armon/go-radix v1.0.0 // indirect
+	github.com/go-chi/cors v1.2.1 // indirect
+)

 require (
 	cloud.google.com/go/compute v1.18.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -599,6 +599,8 @@ github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
 github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
 github.com/go-chi/chi/v5 v5.0.7 h1:rDTPXLDHGATaeHvVlLcR4Qe0zftYethFucbjVQ1PxU8=
 github.com/go-chi/chi/v5 v5.0.7/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
+github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-chi/httprate v0.7.1 h1:d5kXARdms2PREQfU4pHvq44S6hJ1hPu4OXLeBKmCKWs=
 github.com/go-chi/httprate v0.7.1/go.mod h1:6GOYBSwnpra4CQfAKXu8sQZg+nZ0M1g9QnyFvxrAB8A=
 github.com/go-chi/render v1.0.1 h1:4/5tis2cKaNdnv9zFLfXzcquC9HbeZgCnxGnKrltBS8=