From a48f24ff3df9124faba32a1cca876175fb49549d Mon Sep 17 00:00:00 2001
From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Date: Mon, 17 Jul 2023 10:57:50 +0200
Subject: [PATCH] python bridge: drop CORS headers

The correct thing for us to do with CORS is not to participate in it at
all, so stop sending the `Access-Control-Allow-Origin` header.

Modify our existing integration test which checks for the presence and
value of the Access-Control-Allow-Origin header and replace it with a
check that all headers are missing.
---
 src/cockpit/packages.py      |  1 -
 test/verify/check-connection | 16 +++++++++++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/cockpit/packages.py b/src/cockpit/packages.py
index 14262b50c8b1..24c67ceca099 100644
--- a/src/cockpit/packages.py
+++ b/src/cockpit/packages.py
@@ -324,7 +324,6 @@ def serve_file(self, path, channel):
             data, (content_type, encoding) = self.files[path]
 
         headers = {
-            "Access-Control-Allow-Origin": channel.origin,
             "Content-Encoding": encoding,
         }
         if content_type is not None and content_type.startswith('text/html'):
diff --git a/test/verify/check-connection b/test/verify/check-connection
index ec827bc989fc..a1ac3e4d41ee 100755
--- a/test/verify/check-connection
+++ b/test/verify/check-connection
@@ -439,7 +439,21 @@ class TestConnection(testlib.MachineCase):
         headers = m.execute("curl -k --head -b cockpit.jar -s https://127.0.0.1:9090/")
         self.assertIn(
             "default-src 'self' https://127.0.0.1:9090; connect-src 'self' https://127.0.0.1:9090 wss://127.0.0.1:9090", headers)
-        self.assertIn("Access-Control-Allow-Origin: https://127.0.0.1:9090", headers)
+        if self.is_pybridge():
+            # We want to make sure we're *not* sending any CORS headers.
+            CORS_HEADERS = [
+                # https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Response_headers
+                'Access-Control-Allow-Credentials',
+                'Access-Control-Expose-Headers',
+                'Access-Control-Max-Age',
+                'Access-Control-Allow-Methods',
+                'Access-Control-Allow-Headers',
+            ]
+            for cors_header in CORS_HEADERS:
+                self.assertNotIn(cors_header, headers)
+        else:
+            self.assertIn("Access-Control-Allow-Origin: https://127.0.0.1:9090", headers)
+
         # CORP and Frame-Options are also set for dynamic paths
         self.assertIn("Cross-Origin-Resource-Policy: same-origin", headers)
         self.assertIn("X-Frame-Options: sameorigin", headers)