What is the purpose of Settings -> Security -> CORS origins vs similar environment setting?

What is the purpose of Settings -> Security -> CORS origins

As compared to the CORS_ORIGIN setting in app.yml

  ## Enable Cross-origin resource sharing so that SSO works properly
  DISCOURSE_ENABLE_CORS: true
  DISCOURSE_CORS_ORIGIN: '*'
5 Likes

Not sure, @neil can you elaborate?

In a multisite setup, like our hosting, each site can have its own allowed origins by using the “cors origins” setting. Setting DISCOURSE_CORS_ORIGIN in app.yml will be global to all sites, which probably isn’t what you want in multisite. If you only have one site in a container, then using DISCOURSE_CORS_ORIGIN and “cors origins” will be the same.

8 Likes