What is the purpose of Settings -> Security -> CORS origins vs similar environment setting?


(Christopher Kampmeier) #1

What is the purpose of Settings -> Security -> CORS origins

As compared to the CORS_ORIGIN setting in app.yml

  ## Enable Cross-origin resource sharing so that SSO works properly
  DISCOURSE_ENABLE_CORS: true
  DISCOURSE_CORS_ORIGIN: '*'

What are the risks of enabling Cross-origin resource sharing (DISCOURSE_ENABLE_CORS)
(Jeff Atwood) #2

Not sure, @neil can you elaborate?


(Neil Lalonde) #3

In a multisite setup, like our hosting, each site can have its own allowed origins by using the “cors origins” setting. Setting DISCOURSE_CORS_ORIGIN in app.yml will be global to all sites, which probably isn’t what you want in multisite. If you only have one site in a container, then using DISCOURSE_CORS_ORIGIN and “cors origins” will be the same.


Correct CORS enabling steps?
(Neil Lalonde) #4