Skip to content

feat(cas): add configurable CORS headers to HTTP download endpoint#2851

Merged
migmartri merged 3 commits into
chainloop-dev:mainfrom
migmartri:migmartri/cas-cors-headers
Mar 14, 2026
Merged

feat(cas): add configurable CORS headers to HTTP download endpoint#2851
migmartri merged 3 commits into
chainloop-dev:mainfrom
migmartri:migmartri/cas-cors-headers

Conversation

@migmartri

@migmartri migmartri commented Mar 14, 2026

Copy link
Copy Markdown
Member

Summary

  • Add CORS middleware to the CAS HTTP download endpoint so the platform frontend can fetch() evidence (SBOMs, SARIF, etc.) from signed URLs instead of being limited to window.open()
  • Middleware sits outside auth to handle OPTIONS preflights before token validation; passthrough when unconfigured
  • New Helm value cas.allowedOrigins accepts a YAML list or comma-separated string; empty by default (CORS disabled)

Verification

Set allow_origins: ["http://localhost:3000"] in dev config, restart CAS, then:

$ curl -v -X OPTIONS -H "Origin: http://localhost:3000" http://localhost:8001/download/sha256:test

< HTTP/1.1 204 No Content
< Access-Control-Allow-Headers: Authorization, Content-Type
< Access-Control-Allow-Methods: GET, HEAD, OPTIONS
< Access-Control-Allow-Origin: http://localhost:3000
< Access-Control-Max-Age: 86400
< Vary: Origin

Preflight returns 204 with correct CORS headers, handled before auth (no "missing token" error).

Closes #2848

The platform frontend needs to fetch() content from CAS signed URLs to
render evidence inline (SBOMs, SARIF, etc.). Currently browsers block
these requests because the CAS HTTP endpoint returns no CORS headers.

Add a configurable CORS middleware that sits outside auth so OPTIONS
preflights are handled before token validation. Exposed via Helm chart
as cas.allowedOrigins (supports both YAML list and comma-separated
string). When empty (default), CORS is disabled and the middleware is
a passthrough.

Closes chainloop-dev#2848

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 issues found across 8 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="app/artifact-cas/internal/conf/conf.proto">

<violation number="1" location="app/artifact-cas/internal/conf/conf.proto:45">
P2: Adding `cors` to the shared `HTTP` config makes `server.http_metrics.cors` look supported even though the metrics server never uses it.</violation>
</file>

<file name="deployment/chainloop/templates/cas/configmap.yaml">

<violation number="1" location="deployment/chainloop/templates/cas/configmap.yaml:28">
P2: Trim comma-separated origins before checking whether the item is empty; whitespace-only segments currently render as `""` origins.</violation>
</file>

<file name="app/artifact-cas/internal/server/cors.go">

<violation number="1" location="app/artifact-cas/internal/server/cors.go:56">
P2: Handle `Vary: Origin` before the early return and append it instead of overwriting it, otherwise caches can serve the wrong CORS variant.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

Comment thread app/artifact-cas/internal/conf/conf.proto Outdated
Comment thread deployment/chainloop/templates/cas/configmap.yaml Outdated
Comment thread app/artifact-cas/internal/server/cors.go Outdated
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
Move cors config from Server.HTTP to Server level so it doesn't appear
supported on http_metrics. Set Vary: Origin before the early return for
non-matching origins (HTTP cache correctness) using Add instead of Set.
Fix whitespace-only segments in Helm configmap template with trim.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 7 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="app/artifact-cas/internal/conf/conf.proto">

<violation number="1" location="app/artifact-cas/internal/conf/conf.proto:67">
P2: Moving `cors` from `server.http` to `server` breaks existing config paths. Keep backward compatibility or add an explicit migration so upgrades do not silently disable download CORS.

(Based on your team's feedback about ensuring cross-component and version compatibility.) [FEEDBACK_USED]</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

// hHTTP server where the prometheus metrics will get exposed
HTTP http_metrics = 3;
// CORS configuration for the HTTP download endpoint
CORS cors = 4;

@cubic-dev-ai cubic-dev-ai Bot Mar 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Moving cors from server.http to server breaks existing config paths. Keep backward compatibility or add an explicit migration so upgrades do not silently disable download CORS.

(Based on your team's feedback about ensuring cross-component and version compatibility.)

View Feedback

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At app/artifact-cas/internal/conf/conf.proto, line 67:

<comment>Moving `cors` from `server.http` to `server` breaks existing config paths. Keep backward compatibility or add an explicit migration so upgrades do not silently disable download CORS.

(Based on your team's feedback about ensuring cross-component and version compatibility.) </comment>

<file context>
@@ -64,6 +63,8 @@ message Server {
   // hHTTP server where the prometheus metrics will get exposed
   HTTP http_metrics = 3;
+  // CORS configuration for the HTTP download endpoint
+  CORS cors = 4;
 }
 
</file context>
Fix with Cubic

@matiasinsaurralde matiasinsaurralde left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@migmartri migmartri merged commit a51d8dc into chainloop-dev:main Mar 14, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add configurable CORS headers to CAS HTTP download endpoint

2 participants