From adf806fbab174e6b16cb0aadf56f0f3a8a38abb6 Mon Sep 17 00:00:00 2001
From: Phani Raj <phani@posthog.com>
Date: Wed, 30 Oct 2024 13:28:29 -0500
Subject: [PATCH] fix(site apps): Allow site-apps to be served across Origin
 (#25910)

This PR allows the /site_app/ endpoint to be called from a different HTTP ORIGIN
---
 posthog/api/test/test_site_app.py | 36 +++++++++++++++++++++++++++++++
 posthog/settings/web.py           |  2 +-
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/posthog/api/test/test_site_app.py b/posthog/api/test/test_site_app.py
index 9a428774c6ea7..92340e67144bd 100644
--- a/posthog/api/test/test_site_app.py
+++ b/posthog/api/test/test_site_app.py
@@ -41,6 +41,42 @@ def test_site_app(self):
             f"function inject(){{}}().inject({{config:{{}},posthog:window['__$$ph_site_app_{plugin_config.id}']}})",
         )
 
+    def test_cors_access(self):
+        plugin = Plugin.objects.create(organization=self.team.organization, name="My Plugin", plugin_type="source")
+        PluginSourceFile.objects.create(
+            plugin=plugin,
+            filename="site.ts",
+            source="export function inject (){}",
+            transpiled="function inject(){}",
+            status=PluginSourceFile.Status.TRANSPILED,
+        )
+        plugin_config = PluginConfig.objects.create(
+            plugin=plugin,
+            enabled=True,
+            order=1,
+            team=self.team,
+            config={},
+            web_token="tokentoken",
+        )
+
+        unauthenticated_client = Client(enforce_csrf_checks=True)
+        unauthenticated_client.logout()
+        request_headers = {"HTTP_ACCESS_CONTROL_REQUEST_METHOD": "GET", "HTTP_ORIGIN": "*", "USER_AGENT": "Agent 008"}
+        response = unauthenticated_client.get(
+            f"/site_app/{plugin_config.id}/tokentoken/somehash/",
+            data={},
+            follow=False,
+            secure=False,
+            headers={},
+            **request_headers,
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(
+            response.content.decode("utf-8"),
+            f"function inject(){{}}().inject({{config:{{}},posthog:window['__$$ph_site_app_{plugin_config.id}']}})",
+        )
+
     def test_get_site_config_from_schema(self):
         schema: list[dict] = [{"key": "in_site", "site": True}, {"key": "not_in_site"}]
         config = {"in_site": "123", "not_in_site": "12345"}
diff --git a/posthog/settings/web.py b/posthog/settings/web.py
index 5fd6e2a61c238..2b5649b89b954 100644
--- a/posthog/settings/web.py
+++ b/posthog/settings/web.py
@@ -255,7 +255,7 @@
 LOGOUT_URL = "/logout"
 LOGIN_REDIRECT_URL = "/"
 APPEND_SLASH = False
-CORS_URLS_REGEX = r"^/api/(?!early_access_features|surveys|web_experiments).*$"
+CORS_URLS_REGEX = r"^(/site_app/|/api/(?!early_access_features|surveys|web_experiments).*$)"
 CORS_ALLOW_HEADERS = default_headers + CORS_ALLOWED_TRACING_HEADERS
 X_FRAME_OPTIONS = "SAMEORIGIN"