fix: CORS requests when Origin is invalid or null (#20343)

* Fix CORS requests when Origin is invalid or null In some situations (such as calling posthog from within an iframe) the Origin header can be "null" or otherwise invalid In these situations we can't echo back the requested origin so we need to send * instead * Fix mypi issue * Fix test
PostHog · Feb 15, 2024 · 856d495 · 856d495
1 parent 04b5a9e
commit 856d495
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/posthog/test/test_utils_cors.py b/posthog/test/test_utils_cors.py
@@ -0,0 +1,29 @@
+from collections import namedtuple
+from django.test import TestCase
+
+from posthog.utils_cors import cors_response
+
+
+class TestCorsResponse(TestCase):
+    def test_origin(self) -> None:
+        valid_origin_test_cases = [
+            ("https://my-amazing.site", "https://my-amazing.site"),
+            ("https://my-amazing.site/", "https://my-amazing.site"),
+            ("https://my-amazing.site/my/path", "https://my-amazing.site"),
+            ("http://my-amazing.site/my/path", "http://my-amazing.site"),
+            ("https://us.posthog.com/decide", "https://us.posthog.com"),
+            ("my-amazing.site", "*"),
+            ("my-amazing.site/path", "*"),
+            ("null", "*"),
+            ("", None),
+        ]
+
+        FakeRequest = namedtuple("FakeRequest", "META")
+        for origin, expected in valid_origin_test_cases:
+            with self.subTest():
+                request = FakeRequest(META={"HTTP_ORIGIN": origin})
+                self.assertEqual(
+                    expected,
+                    cors_response(request, {}).get("Access-Control-Allow-Origin"),
+                    msg=f"with origin='{origin}', actual did not equal {expected}",
+                )
diff --git a/posthog/utils_cors.py b/posthog/utils_cors.py
@@ -15,7 +15,10 @@ def cors_response(request, response):
     if not request.META.get("HTTP_ORIGIN"):
         return response
     url = urlparse(request.META["HTTP_ORIGIN"])
-    response["Access-Control-Allow-Origin"] = f"{url.scheme}://{url.netloc}"
+    if url.netloc == "":
+        response["Access-Control-Allow-Origin"] = "*"
+    else:
+        response["Access-Control-Allow-Origin"] = f"{url.scheme}://{url.netloc}"
     response["Access-Control-Allow-Credentials"] = "true"
     response["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS"