CORS configuration too much

[DeepDiver1975]

Describe the bug

As of now some CORS parameters are configurable via env vars e.g. OCIS_CORS_ALLOW_METHODS, OCIS_CORS_ALLOW_HEADERS (and OCIS_CORS_EXPOSE_HEADERS - see upcoming PR by @butonic )

Besides the fact that different services require different methods and headers and need to be configured on service level - changing the working default to anything different will most probably break some services partially.

Proposal

Do not configure allow methods, allow headers, expose headers and max ago but leave this to the individual services.

[butonic]

I agree, the only 'global' CORS config should be the allowed origin. the rest should IMO be hardcoded. At least we should drop the OCIS_CORS* env vars (save OCIS_CORS_ALLOW_ORIGINS)

[micbar]

At least we should drop the OCIS_CORS* env vars (save OCIS_CORS_ALLOW_ORIGINS)

I agree generally, but on a higher level we need to really change our attitude towards config.

We are getting more and more feedback, that our todays practise leads to broken deployments on every release.

The reality is, nobody reads the docs.

The biggest problem is exactly what we have here: Removals of config which was working before.

[wkloucek]

The Helm Chart currently only exposes the CORS allow origins setting:

https://github.com/owncloud/ocis-charts/blob/d43e44276efffc37cc8e62621d99a255da7c4cb5/charts/ocis/values.yaml#L57-L61

[wkloucek]

The OIDC server is hosted at: https://sso.[my domain].io
OCIS is hosted at: https://oc.[my domain].io

Expected behaviour

Browser Javascript requests to https://sso.[some domain].io should be allowed from OwnCloud

Actual behaviour

Browser Javascript requests to https://sso.[some domain].io are blocked by CORS configuration. :(

Actually you need to configure CORS on your SSO for this to work.

[tailnet-h-usky-io]

Thanks for the clarification, @wkloucek . Disregard the above