coder
diff --git a/‎coderd/database/dbmem/dbmem.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/dbmem/dbmem.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 7 additions & 1 deletion b/‎coderd/database/dump.sql
Lines changed: 7 additions & 1 deletion
diff --git a/‎coderd/database/migrations/000277_workspace_app_cors_behavior.down.sql
Lines changed: 4 additions & 0 deletions b/‎coderd/database/migrations/000277_workspace_app_cors_behavior.down.sql
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000277_workspace_app_cors_behavior.up.sql
Lines changed: 10 additions & 0 deletions b/‎coderd/database/migrations/000277_workspace_app_cors_behavior.up.sql
Lines changed: 10 additions & 0 deletions
diff --git a/‎coderd/database/models.go
Lines changed: 60 additions & 1 deletion b/‎coderd/database/models.go
Lines changed: 60 additions & 1 deletion
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 13 additions & 5 deletions b/‎coderd/database/queries.sql.go
Lines changed: 13 additions & 5 deletions
diff --git a/‎coderd/database/queries/workspaceapps.sql
Lines changed: 2 additions & 1 deletion b/‎coderd/database/queries/workspaceapps.sql
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/database/sqlc.yaml
Lines changed: 1 addition & 0 deletions b/‎coderd/database/sqlc.yaml
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/httpmw/cors.go
Lines changed: 6 additions & 0 deletions b/‎coderd/httpmw/cors.go
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/httpmw/cors_test.go
Lines changed: 2 additions & 1 deletion b/‎coderd/httpmw/cors_test.go
Lines changed: 2 additions & 1 deletion
@@ -8173,6 +8173,7 @@ func (q *FakeQuerier) InsertWorkspaceApp(_ context.Context, arg database.InsertW
 		Health:               arg.Health,
 		Hidden:               arg.Hidden,
 		DisplayOrder:         arg.DisplayOrder,
+		CorsBehavior:         arg.CorsBehavior,
 	}
 	q.workspaceApps = append(q.workspaceApps, workspaceApp)
 	return workspaceApp, nil
 
@@ -0,0 +1,4 @@
+ALTER TABLE workspace_apps
+    DROP COLUMN IF EXISTS cors_behavior;
+
+DROP TYPE IF EXISTS app_cors_behavior;
@@ -0,0 +1,10 @@
+CREATE TYPE app_cors_behavior AS ENUM (
+    'simple',
+    'passthru'
+);
+
+-- https://www.postgresql.org/docs/16/sql-altertable.html
+-- When a column is added with ADD COLUMN and a non-volatile DEFAULT is specified, the default is evaluated at the time
+-- of the statement and the result stored in the table's metadata. That value will be used for the column for all existing rows.
+ALTER TABLE workspace_apps
+    ADD COLUMN cors_behavior app_cors_behavior NOT NULL DEFAULT 'simple'::app_cors_behavior;
@@ -24,6 +24,7 @@ INSERT INTO
         external,
         subdomain,
         sharing_level,
+        cors_behavior,
         healthcheck_url,
         healthcheck_interval,
         healthcheck_threshold,
@@ -32,7 +33,7 @@ INSERT INTO
         hidden
     )
 VALUES
-    ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17) RETURNING *;
+    ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18) RETURNING *;
 
 -- name: UpdateWorkspaceAppHealthByID :exec
 UPDATE
 
@@ -146,6 +146,7 @@ sql:
           login_type_oauth2_provider_app: LoginTypeOAuth2ProviderApp
           crypto_key_feature_workspace_apps_api_key: CryptoKeyFeatureWorkspaceAppsAPIKey
           crypto_key_feature_oidc_convert: CryptoKeyFeatureOIDCConvert
+          app_cors_behavior: AppCORSBehavior
 rules:
   - name: do-not-use-public-schema-in-queries
     message: "do not use public schema in queries"
 
@@ -8,6 +8,7 @@ import (
 	"github.com/go-chi/cors"
 
 	"github.com/coder/coder/v2/coderd/workspaceapps/appurl"
+	ws_cors "github.com/coder/coder/v2/coderd/workspaceapps/cors"
 )
 
 const (
@@ -47,6 +48,11 @@ func Cors(allowAll bool, origins ...string) func(next http.Handler) http.Handler
 func WorkspaceAppCors(regex *regexp.Regexp, app appurl.ApplicationURL) func(next http.Handler) http.Handler {
 	return cors.Handler(cors.Options{
 		AllowOriginFunc: func(r *http.Request, rawOrigin string) bool {
+			// If passthru behavior is set, disable our simplified CORS handling.
+			if ws_cors.HasBehavior(r.Context(), ws_cors.AppCORSBehaviorPassthru) {
+				return true
+			}
+
 			origin, err := url.Parse(rawOrigin)
 			if rawOrigin == "" || origin.Host == "" || err != nil {
 				return false
 
@@ -105,7 +105,8 @@ func TestWorkspaceAppCors(t *testing.T) {
 					r.Header.Set("Access-Control-Request-Method", method)
 				}
 
-				handler := httpmw.WorkspaceAppCors(regex, test.app)(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+				// TODO: signed token provider
+				handler := httpmw.WorkspaceAppCors(nil, regex, test.app)(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 					rw.WriteHeader(http.StatusNoContent)
 				}))
Original file line number	Diff line number	Diff line change
`@@ -8173,6 +8173,7 @@ func (q *FakeQuerier) InsertWorkspaceApp(_ context.Context, arg database.InsertW`
`8173`	`8173`	`Health: arg.Health,`
`8174`	`8174`	`Hidden: arg.Hidden,`
`8175`	`8175`	`DisplayOrder: arg.DisplayOrder,`
	`8176`	`+ CorsBehavior: arg.CorsBehavior,`
`8176`	`8177`	`}`
`8177`	`8178`	`q.workspaceApps = append(q.workspaceApps, workspaceApp)`
`8178`	`8179`	`return workspaceApp, nil`
Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,8 @@ func TestWorkspaceAppCors(t *testing.T) {`
`105`	`105`	`r.Header.Set("Access-Control-Request-Method", method)`
`106`	`106`	`}`
`107`	`107`
`108`		`- handler := httpmw.WorkspaceAppCors(regex, test.app)(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {`
	`108`	`+ // TODO: signed token provider`
	`109`	`+ handler := httpmw.WorkspaceAppCors(nil, regex, test.app)(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {`
`109`	`110`	`rw.WriteHeader(http.StatusNoContent)`
`110`	`111`	`}))`
`111`	`112`