diff --git a/dev/src/main/java/com/google/adk/web/config/AdkWebCorsConfig.java b/dev/src/main/java/com/google/adk/web/config/AdkWebCorsConfig.java index 2c8063f56..5e54f54cb 100644 --- a/dev/src/main/java/com/google/adk/web/config/AdkWebCorsConfig.java +++ b/dev/src/main/java/com/google/adk/web/config/AdkWebCorsConfig.java @@ -16,6 +16,8 @@ package com.google.adk.web.config; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.web.cors.CorsConfiguration; @@ -42,8 +44,18 @@ @Configuration public class AdkWebCorsConfig { + private static final Logger logger = LoggerFactory.getLogger(AdkWebCorsConfig.class); + @Bean public CorsConfigurationSource corsConfigurationSource(AdkWebCorsProperties corsProperties) { + if (corsProperties.origins().contains("*")) { + logger.warn( + "CORS is configured to allow all origins (\"*\"), which is insecure and intended for" + + " local development only. This also applies to the /run_live WebSocket endpoint." + + " Set 'adk.web.cors.origins' to an explicit allowlist to restrict which origins" + + " may call the server."); + } + CorsConfiguration configuration = new CorsConfiguration(); configuration.setAllowedOrigins(corsProperties.origins()); diff --git a/dev/src/main/java/com/google/adk/web/websocket/WebSocketConfig.java b/dev/src/main/java/com/google/adk/web/websocket/WebSocketConfig.java index d3c09cf8b..a17d72aff 100644 --- a/dev/src/main/java/com/google/adk/web/websocket/WebSocketConfig.java +++ b/dev/src/main/java/com/google/adk/web/websocket/WebSocketConfig.java @@ -16,6 +16,7 @@ package com.google.adk.web.websocket; +import com.google.adk.web.config.AdkWebCorsProperties; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.web.socket.config.annotation.EnableWebSocket; @@ -28,14 +29,19 @@ public class WebSocketConfig implements WebSocketConfigurer { private final LiveWebSocketHandler liveWebSocketHandler; + private final AdkWebCorsProperties corsProperties; @Autowired - public WebSocketConfig(LiveWebSocketHandler liveWebSocketHandler) { + public WebSocketConfig( + LiveWebSocketHandler liveWebSocketHandler, AdkWebCorsProperties corsProperties) { this.liveWebSocketHandler = liveWebSocketHandler; + this.corsProperties = corsProperties; } @Override public void registerWebSocketHandlers(WebSocketHandlerRegistry registry) { - registry.addHandler(liveWebSocketHandler, "/run_live").setAllowedOrigins("*"); + registry + .addHandler(liveWebSocketHandler, "/run_live") + .setAllowedOrigins(corsProperties.origins().toArray(new String[0])); } }