feat: allow cross-origin requests between users' own apps (#7688)

2025-07-13 21:36:50 +00:00 · 2023-06-07 11:08:14 -08:00
parent 125e9ef00e
commit f0c5201617
5 changed files with 195 additions and 32 deletions
--- a/codersdk/deployment.go
+++ b/codersdk/deployment.go
@ -1170,7 +1170,7 @@ when required by your organization's security policy.`,
 		// ☢️ Dangerous settings
 		{
 			Name:        "DANGEROUS: Allow all CORs requests",
-			Description: "For security reasons, CORs requests are blocked. If external requests are required, setting this to true will set all cors headers as '*'. This should never be used in production.",
+			Description: "For security reasons, CORs requests are blocked except between workspace apps owned by the same user. If external requests are required, setting this to true will set all cors headers as '*'. This should never be used in production.",
 			Flag:        "dangerous-allow-cors-requests",
 			Env:         "CODER_DANGEROUS_ALLOW_CORS_REQUESTS",
 			Hidden:      true, // Hidden, should only be used by yarn dev server