fix: LEAP-1997: make CORS configurable via env (#7448)

jombooth · web-flow · commit a00231a39acf · 2025-05-02T07:34:25.000+04:00
diff --git a/deploy/default.conf b/deploy/default.conf
@@ -40,6 +40,7 @@ http {
       '"content_type":"$content_type",'
       '"useragent":"$http_user_agent",'
       '"referrer":"$http_referer",'
+      '"origin":"$http_origin",'
       '"x_forwarded_for":"$http_x_forwarded_for",'
       '"url":"$request_uri",'
       '"version":"$server_protocol",'
diff --git a/label_studio/core/settings/base.py b/label_studio/core/settings/base.py
@@ -275,7 +275,15 @@
     '127.0.0.1',
     'localhost',
 ]
-CORS_ORIGIN_ALLOW_ALL = True
+
+# Typical secure configuration is simply set CORS_ALLOW_ALL_ORIGINS = False in the env
+if allowed_origins := get_env_list('CORS_ALLOWED_ORIGINS'):
+    CORS_ALLOWED_ORIGINS = allowed_origins
+elif allowed_origin_regexes := get_env_list('CORS_ALLOWED_ORIGIN_REGEXES'):
+    CORS_ALLOWED_ORIGIN_REGEXES = allowed_origin_regexes
+else:
+    CORS_ALLOW_ALL_ORIGINS = get_bool_env('CORS_ALLOW_ALL_ORIGINS', True)
+
 CORS_ALLOW_METHODS = [
     'DELETE',
     'GET',
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -167,7 +167,7 @@ django-environ = "0.10.0"
 django-filter = "24.3"
 django-model-utils = "4.1.1"
 django-rq = "^2.10.2"
-django-cors-headers = "3.6.0"
+django-cors-headers = "4.7.0"
 django-extensions = "3.2.3"
 django-user-agents = "0.4.0"
 django-ranged-fileresponse = ">=0.1.2"
