Skip to content

SITES-23772 AEM Analyzer Plugin: CORS Configuration#317

Draft
magdalenaorlowska wants to merge 1 commit into
adobe:mainfrom
magdalenaorlowska:features/SITES-23772
Draft

SITES-23772 AEM Analyzer Plugin: CORS Configuration#317
magdalenaorlowska wants to merge 1 commit into
adobe:mainfrom
magdalenaorlowska:features/SITES-23772

Conversation

@magdalenaorlowska
Copy link
Copy Markdown

@magdalenaorlowska magdalenaorlowska commented Mar 3, 2025
edited
Loading

Description

New Task that checks if none of the Project Configurations overrides the build-in com.adobe.granite.cors.impl.CORSPolicyImpl settings.

Developers will receive a build warning if the project-level configuration (com.adobe.granite.cors.impl.CORSPolicyImpl~...json) includes the alloworigin or alloworiginregexp properties that may restrict access to URLs such as https://experience.adobe.com or https://static.adobe.net.

Related Issue

SITES-23772 AEM Analyzer Plugin: CORS Configuration

Motivation and Context

We have multiple customers facing CORS issues which are widely back-traceable to a custom CORS configuration including the adobe.com domain.

How Has This Been Tested?

I've run the plugin on a project created from the AEM Project Archetype + several correct & invalid configurations.

Screenshots (if appropriate):

n/a

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • I have signed the Adobe Open Source CLA.
  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@kwin
Copy link
Copy Markdown
Contributor

kwin commented Mar 3, 2025

I think this should rather be enforced via https://github.com/apache/sling-org-apache-sling-feature-extension-apiregions/blob/master/docs/api-regions.md#configurations

@maximilianvoss
Copy link
Copy Markdown

maximilianvoss commented Mar 4, 2025

I think this should rather be enforced via https://github.com/apache/sling-org-apache-sling-feature-extension-apiregions/blob/master/docs/api-regions.md#configurations

Can you elaborate how API regions can help on this use case?
Customers are allowed to bring their own configurations for CORS, only certain values are not allowed to be in the configuration.

@kwin
Copy link
Copy Markdown
Contributor

kwin commented Mar 4, 2025

The description said otherwise:

New Task that checks if none of the Project Configurations overrides the build-in com.adobe.granite.cors.impl.CORSPolicyImpl settings.

But AFAIK the API regions supports regex per property: https://github.com/apache/sling-org-apache-sling-feature-extension-apiregions/blob/master/docs/api-regions.md#properties. That can be leveraged to exclude values with adobe.com.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@magdalenaorlowska @kwin @maximilianvoss