add -cors.origin flag to "zed serve" (#4334)

The -cors.origin flag specifies a CORS allowed origin. The flag may be
repeated.

This change removes the two baked-in allowed origins,
*.observableusercontent.com and localhost, and replaces them with a
default allowed origin of *.  As a consequence, "zed serve" with no
-cors.origin flag behaves like "zed serve -cors.origin '*'".

Closes #4297.

cmd/zed/serve/command.go

@@ -53,6 +53,10 @@ func New(parent charm.Command, f *flag.FlagSet) (charm.Command, error) {
 	c.conf.Version = cli.Version
 	c.logflags.SetFlags(f)
 	f.IntVar(&c.brimfd, "brimfd", -1, "pipe read fd passed by brim to signal brim closure")
+	f.Func("cors.origin", "CORS allowed origin (may be repeated)", func(s string) error {
+		c.conf.CORSAllowedOrigins = append(c.conf.CORSAllowedOrigins, s)
+		return nil
+	})
 	f.StringVar(&c.listenAddr, "l", ":9867", "[addr]:port to listen on")
 	f.StringVar(&c.portFile, "portfile", "", "write listen port to file")
 	f.StringVar(&c.rootContentFile, "rootcontentfile", "", "file to serve for GET /")

service/core.go

@@ -43,11 +43,12 @@ const indexPage = `
 </html>`
 
 type Config struct {
-	Auth        AuthConfig
-	Root        *storage.URI
-	RootContent io.ReadSeeker
-	Version     string
-	Logger      *zap.Logger
+	Auth               AuthConfig
+	CORSAllowedOrigins []string
+	Root               *storage.URI
+	RootContent        io.ReadSeeker
+	Version            string
+	Logger             *zap.Logger
 }
 
 type Core struct {
@@ -105,7 +106,7 @@ func NewCore(ctx context.Context, conf Config) (*Core, error) {
 	}
 
 	routerAux := mux.NewRouter()
-	routerAux.Use(corsMiddleware())
+	routerAux.Use(corsMiddleware(conf.CORSAllowedOrigins))
 
 	routerAux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		http.ServeContent(w, r, "", time.Time{}, conf.RootContent)
@@ -131,7 +132,7 @@ func NewCore(ctx context.Context, conf Config) (*Core, error) {
 	routerAPI.Use(requestIDMiddleware())
 	routerAPI.Use(accessLogMiddleware(conf.Logger))
 	routerAPI.Use(panicCatchMiddleware(conf.Logger))
-	routerAPI.Use(corsMiddleware())
+	routerAPI.Use(corsMiddleware(conf.CORSAllowedOrigins))
 
 	c := &Core{
 		auth:          authenticator,

service/middleware.go

@@ -30,9 +30,7 @@ func requestIDMiddleware() mux.MiddlewareFunc {
 	}
 }
 
-var allowedOrigins = []string{"*.observableusercontent.com", "localhost"}
-
-func corsMiddleware() mux.MiddlewareFunc {
+func corsMiddleware(allowedOrigins []string) mux.MiddlewareFunc {
 	return cors.New(cors.Options{
 		AllowedOrigins: allowedOrigins,
 		AllowedMethods: []string{

service/ztests/curl-cors.yaml

@@ -1,30 +1,30 @@
 script: |
-  source service.sh
+  LAKE_EXTRA_FLAGS='-cors.origin=http://a -cors.origin=http://*.b' source service.sh
   echo === OPTIONS: allowed ===
   curl -sD - \
     -X OPTIONS \
     -H "Access-Control-Request-Method: POST" \
     -H "Access-Control-Request-Headers: content-type, authorization" \
-    -H "Origin: http://test.observableusercontent.com" \
+    -H "Origin: http://a" \
     $ZED_LAKE/query | grep Access-Control-Allow | tr -d '\015'
   echo === OPTIONS: not allowed ===
   ! curl -sD - \
     -X OPTIONS \
     -H "Access-Control-Request-Method: POST" \
     -H "Access-Control-Request-Headers: content-type, authorization" \
-    -H "Origin: http://adversarialobservableusercontent.com" \
+    -H "Origin: http://not-a" \
     $ZED_LAKE/query | grep Access-Control-Allow
   echo === POST: allowed ===
   curl -sD - \
     -X POST \
-    -H "Origin: http://test.observableusercontent.com" \
+    -H "Origin: http://wildcard.b" \
     -H "Accept: application/json" \
     -d '{"query":"from :pools | *"}' \
     $ZED_LAKE/query | grep Access-Control-Allow | tr -d '\015'
   echo === POST: not allowed ===
   ! curl -sD - \
     -X POST \
-    -H "Origin: http://adversarialobservableusercontent.com" \
+    -H "Origin: http://wildcard.not-b" \
     -H "Accept: application/json" \
     -d '{"query":"from :pools | *"}' \
     $ZED_LAKE/query | grep Access-Control-Allow
@@ -39,9 +39,9 @@ outputs:
       Access-Control-Allow-Credentials: true
       Access-Control-Allow-Headers: Content-Type, Authorization
       Access-Control-Allow-Methods: POST
-      Access-Control-Allow-Origin: http://test.observableusercontent.com
+      Access-Control-Allow-Origin: http://a
       === OPTIONS: not allowed ===
       === POST: allowed ===
       Access-Control-Allow-Credentials: true
-      Access-Control-Allow-Origin: http://test.observableusercontent.com
+      Access-Control-Allow-Origin: http://wildcard.b
       === POST: not allowed ===