feat(cors): Add wildcard port matching for CORS allowOrigins#8708
feat(cors): Add wildcard port matching for CORS allowOrigins#8708GajanSoorian wants to merge 1 commit intoenvoyproxy:mainfrom
Conversation
✅ Deploy Preview for cerulean-figolla-1f9435 canceled.
|
|
cc @zhaohuabing |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 71d94a932b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
Thanks @zhaohuabing , I've addressed this comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #8708 +/- ##
==========================================
- Coverage 74.34% 74.29% -0.05%
==========================================
Files 244 245 +1
Lines 38868 38801 -67
==========================================
- Hits 28896 28829 -67
+ Misses 7970 7968 -2
- Partials 2002 2004 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Signed-off-by: Gajan Suryan <gajansuryan@gmail.com>
|
The request is legitimate, but I’m not sure wildcard port matching is the right API here since it’s not a common pattern of how wildcard is used to match hosts. Maybe we should introduce an additional regex-based matcher in the CORS API, which would be clearer and more future-proof. |
3 participants
What type of PR is this?
feat(cors)
What this PR does:
Re-adds wildcard port matching (
*) for CORSallowOrigins, reverting the removal in commit 81dce3e (upstream PR #2453).The
wildcard2regexruntime function already handles port wildcards correctly; This PR relaxes the kubebuilder CRD validation regex to accept*in the port position.Why we need it:
The current
SecurityPolicyCRD validation rejects wildcard ports, requiring every port to be enumerated explicitly. This creates friction in several scenarios:Local development with arbitrary ports: Tools like webpack dev servers run on several ports chosen by the developers. Arbitrary client applications can also use multiple ports. Explicitly listing these ports is no manageable.
Using a general wildcard is not suitable in development environments that require stricter controls to prevent unwanted CORS access.
Parallel agent workflows: Multiple AI coding agents working in separate worktrees each need their own dev server on a unique port. Hardcoding ports prevents this.
Wildcard port matching (e.g.,
https://host.com:*) allows a single origin entry to cover all ports for a given host, eliminating the need to enumerate and maintain an ever-growing list of port numbers or compromise on security by using the general wildcard option.What Changed
api/v1alpha1/cors_types.go: Relaxed the kubebuilder validation regex onOriginfrom(:\d{1,5})?to(:(\*|\d{1,5}))?make manifestsinternal/gatewayapi/securitypolicy_test.gotest/cel-validation/securitypolicy_test.goTest plan
make manifestsregenerates CRDs with the new regexgo test ./internal/gatewayapi/... -run Test_wildcard2regexpasses with new port wildcard casesgo test ./test/cel-validation/... -run TestSecurityPolicyTargethttps://example.com:*are accepted by the CRDhttps://examplecom:5173still work (no regression)Which issue(s) this PR fixes:
N.A