Skip to content

security(nginx): restrict CORS origin to Office/Outlook allowlist#117

Draft
dobby-coder[bot] wants to merge 1 commit into
masterfrom
security/restrict-cors-origin
Draft

security(nginx): restrict CORS origin to Office/Outlook allowlist#117
dobby-coder[bot] wants to merge 1 commit into
masterfrom
security/restrict-cors-origin

Conversation

@dobby-coder

@dobby-coder dobby-coder Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

What & why

nginx/default.conf served Access-Control-Allow-Origin: * on every response, letting any origin read the add-in's responses cross-origin. This tightens the CORS policy per issue #115 / advisory GHSA-m957-9cxh-72q7.

Change

  • Added a map $http_origin $addin_cors_origin allowlist that echoes the request Origin back only for the Microsoft origins that legitimately fetch add-in assets cross-origin:
    • https://appsforoffice.microsoft.com (Office.js CDN)
    • https://outlook.office.com, https://outlook.office365.com, https://outlook.live.com (Outlook hosts)
  • add_header Access-Control-Allow-Origin $addin_cors_origin always; — for any non-allowlisted origin the mapped value is empty, and nginx then omits the header entirely, so arbitrary sites can no longer read responses cross-origin.
  • Added Vary: Origin so shared caches don't hand one origin's CORS response to another.

The add-in's own assets are served same-origin inside the Office iframe, so normal add-in operation does not depend on the wildcard.

Testing

nginx and Docker aren't available in the build sandbox, so nginx -t couldn't be run here. The change follows the standard nginx map-based CORS pattern and mirrors the existing $addin_cache_control map already in this file (same http context via conf.d/). Brace/directive structure verified manually. Recommend the reviewer confirm with docker build + nginx -t in CI.

Closes #115.

Replace `Access-Control-Allow-Origin: *` in nginx/default.conf with a
map-based allowlist that echoes the request Origin back only for the
trusted Microsoft origins (Office.js CDN + Outlook hosts). Any other
origin gets an empty value, so nginx omits the header entirely and
arbitrary sites can no longer read add-in responses cross-origin.

Also add `Vary: Origin` so caches don't serve one origin's CORS
response to another.

Refs GHSA-m957-9cxh-72q7, closes #115

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

@dobby-coder dobby-coder Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rules Dobby 2 — 1 finding (blocking CI): the PR title fails the Conventional Commit check.

The CORS hardening itself is correct and verified. A reviewer built nginx 1.27.4 from source and confirmed the live behaviour end-to-end: allowlisted Office/Outlook origins get their Origin echoed back in Access-Control-Allow-Origin, non-allowlisted origins get the header omitted (empty map value → nginx drops the header), and Vary: Origin is set on all responses. The wildcard vulnerability (GHSA-m957-9cxh-72q7 / #115) is genuinely fixed. Body has Closes #115, the map is correctly placed in the http{} context, and the asset-serving locations (/, /manifest.xml) correctly inherit the new headers. (/health doesn't inherit them, but that's pre-existing and a plaintext health check needs no CORS.)

Finding — must fix (this is why the PR is red):

  • The Conventional Commit check is failing. The title security(nginx): restrict CORS origin to Office/Outlook allowlist uses the type security, which is not in the default type list enforced by amannn/action-semantic-pull-request@v6 (allowed: fix, feat, docs, style, refactor, perf, test, build, ci, chore, revert). The repo runs the action with no custom types config, so security is rejected.
  • Fix: rename the title to a valid type — recommend fix(nginx): restrict CORS origin to Office/Outlook allowlist (a security hardening is a fix). Apply via gh api -X PATCH repos/encryption4all/postguard-outlook-addon/pulls/117 -f title='fix(nginx): restrict CORS origin to Office/Outlook allowlist'; the check re-runs on title edit. Keep it in draft until that check goes green.

No code changes are required to nginx/default.conf.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

security: restrict CORS origin policy in production server config

0 participants