Skip to content

Commit 5029081

Browse files
committed
fix(dev): keep '*' CORS default, drive WebSocket origins from config, warn on '*'
Per review, retain backwards compatibility instead of changing the default origin allowlist: - Revert the default origins back to "*" (no change vs HEAD). - Derive the /run_live WebSocket allowed origins from adk.web.cors.origins instead of a hardcoded "*", so both HTTP CORS and the WebSocket can be locked down via the single property. - Log a startup WARN when origins is "*", noting it is insecure (dev only) and pointing users to set adk.web.cors.origins.
1 parent cb73317 commit 5029081

3 files changed

Lines changed: 15 additions & 6 deletions

File tree

dev/src/main/java/com/google/adk/web/config/AdkWebCorsConfig.java

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@
1616

1717
package com.google.adk.web.config;
1818

19+
import org.slf4j.Logger;
20+
import org.slf4j.LoggerFactory;
1921
import org.springframework.context.annotation.Bean;
2022
import org.springframework.context.annotation.Configuration;
2123
import org.springframework.web.cors.CorsConfiguration;
@@ -42,11 +44,21 @@
4244
@Configuration
4345
public class AdkWebCorsConfig {
4446

47+
private static final Logger logger = LoggerFactory.getLogger(AdkWebCorsConfig.class);
48+
4549
@Bean
4650
public CorsConfigurationSource corsConfigurationSource(AdkWebCorsProperties corsProperties) {
51+
if (corsProperties.origins().contains("*")) {
52+
logger.warn(
53+
"CORS is configured to allow all origins (\"*\"), which is insecure and intended for"
54+
+ " local development only. This also applies to the /run_live WebSocket endpoint."
55+
+ " Set 'adk.web.cors.origins' to an explicit allowlist to restrict which origins"
56+
+ " may call the server.");
57+
}
58+
4759
CorsConfiguration configuration = new CorsConfiguration();
4860

49-
configuration.setAllowedOriginPatterns(corsProperties.origins());
61+
configuration.setAllowedOrigins(corsProperties.origins());
5062
configuration.setAllowedMethods(corsProperties.methods());
5163
configuration.setAllowedHeaders(corsProperties.headers());
5264
configuration.setAllowCredentials(corsProperties.allowCredentials());

dev/src/main/java/com/google/adk/web/config/AdkWebCorsProperties.java

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -34,10 +34,7 @@ public record AdkWebCorsProperties(
3434

3535
public AdkWebCorsProperties {
3636
mapping = mapping != null ? mapping : "/**";
37-
origins =
38-
origins != null && !origins.isEmpty()
39-
? origins
40-
: List.of("http://localhost:[*]", "http://127.0.0.1:[*]");
37+
origins = origins != null && !origins.isEmpty() ? origins : List.of("*");
4138
methods =
4239
methods != null && !methods.isEmpty()
4340
? methods

dev/src/main/java/com/google/adk/web/websocket/WebSocketConfig.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,6 @@ public WebSocketConfig(
4242
public void registerWebSocketHandlers(WebSocketHandlerRegistry registry) {
4343
registry
4444
.addHandler(liveWebSocketHandler, "/run_live")
45-
.setAllowedOriginPatterns(corsProperties.origins().toArray(new String[0]));
45+
.setAllowedOrigins(corsProperties.origins().toArray(new String[0]));
4646
}
4747
}

0 commit comments

Comments
 (0)