Hi Joshua, First off, CORS <https://www.w3.org/TR/cors/> isn't really a protection against CSRF. For CSRF mitigation ideas take a look here <https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md>. CORS is mostly a protection against asset and bandwidth theft. (See Why CORS <https://www.codecademy.com/articles/what-is-cors>?)
Instead of thinking about CORS first, you really want to think about your web application. What assets will it be requesting and where do they live. Your primary assets determine the rules that work for free. (ie. you can always load things from the same spot). (typically your domain or an *.appspot.com address) . The other spots need to be told that they can permit / give permission for your app to access the data. As I mentioned earlier, static assets on App Engine are set in your appengine-web.xml <https://cloud.google.com/appengine/docs/standard/java/config/appref> or app.yaml <https://cloud.google.com/appengine/docs/standard/go/config/appref> files. Dynamic assets will need code, for Java Servlet's it's usually easitest to add a filter <https://howtodoinjava.com/servlets/java-cors-filter-example/> that runs before the Servlet. Other frameworks have similar mechanisms. GoogleAPI's depend on the service your accessing. The most common is Cloud Storage which has a page on CORS <https://cloud.google.com/storage/docs/cross-origin> and configuration <https://cloud.google.com/storage/docs/configuring-cors>. Other Google properties & API's that expect to be accessed via a web application will be configured appropriately or provide a mechanism <https://developers.google.com/api-client-library/javascript/features/cors>. Hope that helps, Les On Sun, Apr 14, 2019 at 12:23 AM Joshua Fox <[email protected]> wrote: > Thank you, Les, > > However, Google Cloud serves our content from multiple domains besides > our own, including appspot.com, google.com, googleusercontent.com, > googleapis.com, and many others. How can we allow access to these domains > (as well as our own) with CORS headers, yet maintain security against CSRF? > > On Sat, Apr 13, 2019 at 1:24 AM 'Les Vogel' via Google App Engine < > [email protected]> wrote: > >> [bcc: three googlers] >> Hi Joshua, >> >> I read the docs >> <https://cloud.google.com/appengine/docs/standard/java/config/appref> a >> bit closer and if you look under <static-files>, it gives a CORS example >> without ever mentioning CORS. (I've asked that this gets fixed) . Again, >> it's only for static content. >> >> Les >> >> On Fri, Apr 12, 2019 at 3:05 PM Les Vogel <[email protected]> wrote: >> >>> [bcc: a couple googlers] >>> Hi Joshua, >>> >>> Sorry for the terse response earlier. The enable-cors answer will work >>> in many cases, but is incomplete, but you'll find yourself adding it to all >>> your pages. Of course, a full answer is a lot more complicated and depends >>> on what you are trying to serve and where you are serving it from. Your >>> static assets will need one kind of CORS headers similar to what the >>> documentation is showing you for Go / Python. It's been awhile since I did >>> that for Java, so I'll need to look that up if that's what you're looking >>> for. >>> >>> If you are trying to serve dynamic content that needs CORS headers, then >>> you'll probably want to look at: >>> https://stackoverflow.com/questions/8303162/jetty-cross-origin-filter >>> and https://howtodoinjava.com/servlets/java-cors-filter-example/ >>> >>> Take a look at that, and let me know if that doesn't work for you and >>> I'll try to look up what to change in appengine-web.xml for CORS support. >>> >>> Les >>> >>> On Fri, Apr 12, 2019 at 1:43 PM Les Vogel <[email protected]> wrote: >>> >>>> See https://enable-cors.org/server_appengine.html >>>> >>>> On Thu, Apr 11, 2019 at 7:44 AM Joshua Fox <[email protected]> >>>> wrote: >>>> >>>>> In AppEngine Python and Go >>>>> <https://cloud.google.com/appengine/docs/standard/go/config/appref>, >>>>> one defines CORS headers in app.yaml >>>>> >>>>> But in Java, the documentation does not mention this >>>>> <https://cloud.google.com/appengine/docs/standard/java/config/appref> How >>>>> do I do the equivalent in Java? >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> >>>>> *JOSHUA FOX* >>>>> Director, Software Architecture | Freightos >>>>> >>>>> >>>>> >>>>> *T (Israel): *+972-545691165 | *T (US)*: +1-3123400953 >>>>> Smooth shipping. >>>>> >>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Google App Engine" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To post to this group, send email to [email protected] >>>>> . >>>>> Visit this group at https://groups.google.com/group/google-appengine. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/google-appengine/CAD%3DB7cN%3Du7OH6eEL7jRZGf9eUo3YAOecu7UPPkt-7mLdWFG4oA%40mail.gmail.com >>>>> <https://groups.google.com/d/msgid/google-appengine/CAD%3DB7cN%3Du7OH6eEL7jRZGf9eUo3YAOecu7UPPkt-7mLdWFG4oA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> >>>> -- >>>> >>>> >>>> * • **Les Vogel* >>>> * • *Cloud Developer Relations >>>> * • *[email protected] >>>> * • *+1-4 <%2B1-650-338-7103>08-676-7023 >>>> >>>> >>>> >>> >>> -- >>> >>> >>> * • **Les Vogel* >>> * • *Cloud Developer Relations >>> * • *[email protected] >>> * • *+1-4 <%2B1-650-338-7103>08-676-7023 >>> >>> >>> >> >> -- >> >> >> * • **Les Vogel* >> * • *Cloud Developer Relations >> * • *[email protected] >> * • *+1-4 <%2B1-650-338-7103>08-676-7023 >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google App Engine" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at https://groups.google.com/group/google-appengine. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/google-appengine/CAGB1p5j1GJ5eWF0osf%3D2t%3Dy27v_Q9tZXoafQbsHbyAdG5guF1A%40mail.gmail.com >> <https://groups.google.com/d/msgid/google-appengine/CAGB1p5j1GJ5eWF0osf%3D2t%3Dy27v_Q9tZXoafQbsHbyAdG5guF1A%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > -- > > > *JOSHUA FOX* > Director, Software Architecture | Freightos > > > > *T (Israel): *+972-545691165 | *T (US)*: +1-3123400953 > Smooth shipping. > > > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/google-appengine. > To view this discussion on the web visit > https://groups.google.com/d/msgid/google-appengine/CAD%3DB7cMvXMhteD6pkQnjPo5VXuoV66jSaXUhnKxCK5-dJMRdUA%40mail.gmail.com > <https://groups.google.com/d/msgid/google-appengine/CAD%3DB7cMvXMhteD6pkQnjPo5VXuoV66jSaXUhnKxCK5-dJMRdUA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- * • **Les Vogel* * • *Cloud Developer Relations * • *[email protected] * • *+1-4 <%2B1-650-338-7103>08-676-7023 -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/CAGB1p5gfkGbP8%2B18eznhDBCcS8MpVscWJMDF0s%3Da2M%2BeQ3i3yA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
