Commit 2549772
security(nginx): replace wildcard CORS with Office origin allowlist
Replace `Access-Control-Allow-Origin: *` in nginx/default.conf with a
map-based allowlist that echoes the request Origin back only for the
trusted Microsoft origins (Office.js CDN + Outlook hosts). Any other
origin gets an empty value, so nginx omits the header entirely and
arbitrary sites can no longer read add-in responses cross-origin.
Also add `Vary: Origin` so caches don't serve one origin's CORS
response to another.
Refs GHSA-m957-9cxh-72q7, closes #115
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>1 parent d413cf5 commit 2549772
1 file changed
Lines changed: 22 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
12 | 27 | | |
13 | 28 | | |
14 | 29 | | |
| |||
21 | 36 | | |
22 | 37 | | |
23 | 38 | | |
24 | | - | |
25 | | - | |
26 | | - | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
27 | 46 | | |
28 | 47 | | |
29 | 48 | | |
| |||
0 commit comments