From f9614fc10807b9cb86ccfdc89c86466769ef65cc Mon Sep 17 00:00:00 2001 From: lebaudantoine Date: Tue, 10 Jun 2025 15:47:45 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=A9=B9(backend)=20default=20CORS=5FALLOW?= =?UTF-8?q?=5FALL=5FORIGINS=20to=20False?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The settings CORS_ALLOW_ALL_ORIGINS was set to True by default. This error is inherited from a old mistake made back in the days while working on the initial impress demo. I wrongly configured the settings. This error was propagated when @sampaccoud copied impress code to kickstart LaSuite Meet. This is not something we want, this should be only allowed in development. We change the value in all the manifests in order to have the desired behavior in non development environments. --- docs/installation.md | 10 +++++----- src/backend/meet/settings.py | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/installation.md b/docs/installation.md index f1485806..af64bb25 100644 --- a/docs/installation.md +++ b/docs/installation.md @@ -250,7 +250,7 @@ You can use Visio on https://meet.127.0.0.1.nip.io from the local device. The pr These are the environmental options available on meet backend. | Option | Description | default | -| ----------------------------------------------- | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ----------------------------------------------- | ---------------------------------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------| | DATA_DIR | Data directory location | /data | | DJANGO_ALLOWED_HOSTS | Hosts that are allowed | [] | | DJANGO_SECRET_KEY | Secret key used for Django security | | @@ -270,7 +270,7 @@ These are the environmental options available on meet backend. | AWS_STORAGE_BUCKET_NAME | S3 bucket name | meet-media-storage | | DJANGO_LANGUAGE_CODE | Default language | en-us | | REDIS_URL | Redis endpoint | redis://redis:6379/1 | -| SESSION_COOKIE_AGE | Session cookie expiration in seconds | 43200 (12 hours) | +| SESSION_COOKIE_AGE | Session cookie expiration in seconds | 43200 (12 hours) | | REQUEST_ENTRY_THROTTLE_RATES | Entry request throttle rates | 150/minute | | CREATION_CALLBACK_THROTTLE_RATES | Creation callback throttle rates | 600/minute | | SPECTACULAR_SETTINGS_ENABLE_DJANGO_DEPLOY_CHECK | Enable Django deploy check | false | @@ -293,7 +293,7 @@ These are the environmental options available on meet backend. | EMAIL_LOGO_IMG | Email logo image | | | EMAIL_DOMAIN | Email domain | | | EMAIL_APP_BASE_URL | Email app base URL | | -| DJANGO_CORS_ALLOW_ALL_ORIGINS | Allow all CORS origins | true | +| DJANGO_CORS_ALLOW_ALL_ORIGINS | Allow all CORS origins | false | | DJANGO_CORS_ALLOWED_ORIGINS | Origins to allow (string list) | [] | | DJANGO_CORS_ALLOWED_ORIGIN_REGEXES | Origins to allow (regex patterns) | [] | | SENTRY_DSN | Sentry server DSN | | @@ -351,10 +351,10 @@ These are the environmental options available on meet backend. | LOBBY_KEY_PREFIX | Lobby key prefix | room_lobby | | LOBBY_WAITING_TIMEOUT | Lobby waiting timeout in seconds | 3 | | LOBBY_DENIED_TIMEOUT | Lobby deny timeout in seconds | 5 | -| LOBBY_ACCEPTED_TIMEOUT | Lobby accept timeout in seconds | 21600 (6 hours) | +| LOBBY_ACCEPTED_TIMEOUT | Lobby accept timeout in seconds | 21600 (6 hours) | | LOBBY_NOTIFICATION_TYPE | Lobby notification types | participantWaiting | | LOBBY_COOKIE_NAME | Lobby cookie name | lobbyParticipantId | -| ROOM_CREATION_CALLBACK_CACHE_TIMEOUT | Room creation callback cache timeout | 600 (10 minutes) | +| ROOM_CREATION_CALLBACK_CACHE_TIMEOUT | Room creation callback cache timeout | 600 (10 minutes) | | ROOM_TELEPHONY_ENABLED | Enable SIP telephony feature | false | | ROOM_TELEPHONY_PIN_LENGTH | Telephony PIN length | 10 | | ROOM_TELEPHONY_PIN_MAX_RETRIES | Telephony PIN maximum retries | 5 | diff --git a/src/backend/meet/settings.py b/src/backend/meet/settings.py index 9fe098cd..c11c4a20 100755 --- a/src/backend/meet/settings.py +++ b/src/backend/meet/settings.py @@ -340,7 +340,7 @@ class Base(Configuration): # CORS CORS_ALLOW_CREDENTIALS = True - CORS_ALLOW_ALL_ORIGINS = values.BooleanValue(True) + CORS_ALLOW_ALL_ORIGINS = values.BooleanValue(False) CORS_ALLOWED_ORIGINS = values.ListValue([]) CORS_ALLOWED_ORIGIN_REGEXES = values.ListValue([])