security(nginx): restrict CORS origin to Office/Outlook allowlist#117
security(nginx): restrict CORS origin to Office/Outlook allowlist#117dobby-coder[bot] wants to merge 1 commit into
Conversation
Replace `Access-Control-Allow-Origin: *` in nginx/default.conf with a map-based allowlist that echoes the request Origin back only for the trusted Microsoft origins (Office.js CDN + Outlook hosts). Any other origin gets an empty value, so nginx omits the header entirely and arbitrary sites can no longer read add-in responses cross-origin. Also add `Vary: Origin` so caches don't serve one origin's CORS response to another. Refs GHSA-m957-9cxh-72q7, closes #115 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Rules Dobby 2 — 1 finding (blocking CI): the PR title fails the Conventional Commit check.
The CORS hardening itself is correct and verified. A reviewer built nginx 1.27.4 from source and confirmed the live behaviour end-to-end: allowlisted Office/Outlook origins get their Origin echoed back in Access-Control-Allow-Origin, non-allowlisted origins get the header omitted (empty map value → nginx drops the header), and Vary: Origin is set on all responses. The wildcard vulnerability (GHSA-m957-9cxh-72q7 / #115) is genuinely fixed. Body has Closes #115, the map is correctly placed in the http{} context, and the asset-serving locations (/, /manifest.xml) correctly inherit the new headers. (/health doesn't inherit them, but that's pre-existing and a plaintext health check needs no CORS.)
Finding — must fix (this is why the PR is red):
- The
Conventional Commitcheck is failing. The titlesecurity(nginx): restrict CORS origin to Office/Outlook allowlistuses the typesecurity, which is not in the default type list enforced byamannn/action-semantic-pull-request@v6(allowed:fix, feat, docs, style, refactor, perf, test, build, ci, chore, revert). The repo runs the action with no customtypesconfig, sosecurityis rejected. - Fix: rename the title to a valid type — recommend
fix(nginx): restrict CORS origin to Office/Outlook allowlist(a security hardening is afix). Apply viagh api -X PATCH repos/encryption4all/postguard-outlook-addon/pulls/117 -f title='fix(nginx): restrict CORS origin to Office/Outlook allowlist'; the check re-runs on title edit. Keep it in draft until that check goes green.
No code changes are required to nginx/default.conf.
What & why
nginx/default.confservedAccess-Control-Allow-Origin: *on every response, letting any origin read the add-in's responses cross-origin. This tightens the CORS policy per issue #115 / advisory GHSA-m957-9cxh-72q7.Change
map $http_origin $addin_cors_originallowlist that echoes the requestOriginback only for the Microsoft origins that legitimately fetch add-in assets cross-origin:https://appsforoffice.microsoft.com(Office.js CDN)https://outlook.office.com,https://outlook.office365.com,https://outlook.live.com(Outlook hosts)add_header Access-Control-Allow-Origin $addin_cors_origin always;— for any non-allowlisted origin the mapped value is empty, and nginx then omits the header entirely, so arbitrary sites can no longer read responses cross-origin.Vary: Originso shared caches don't hand one origin's CORS response to another.The add-in's own assets are served same-origin inside the Office iframe, so normal add-in operation does not depend on the wildcard.
Testing
nginx and Docker aren't available in the build sandbox, so
nginx -tcouldn't be run here. The change follows the standard nginx map-based CORS pattern and mirrors the existing$addin_cache_controlmap already in this file (samehttpcontext viaconf.d/). Brace/directive structure verified manually. Recommend the reviewer confirm withdocker build+nginx -tin CI.Closes #115.