From ddb1c9be0ea015fe52a76bb07be9ab7ce9c29665 Mon Sep 17 00:00:00 2001
From: Jason Bissict <jason@thinkst.com>
Date: Tue, 16 Jan 2024 06:40:10 +0200
Subject: [PATCH] Add handling for CORS preflight checks

---
 canarytokens/channel_http.py | 34 +++++++++++++++++++++++++++++++++-
 frontend/frontend.env.dist   |  6 +++---
 2 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/canarytokens/channel_http.py b/canarytokens/channel_http.py
index 07bc10eac..d704abb3e 100644
--- a/canarytokens/channel_http.py
+++ b/canarytokens/channel_http.py
@@ -130,11 +130,12 @@ def render_GET(self, request: Request):
         request.setHeader("Server", "Apache")
         return resp
 
-    def render_OPTIONS(self, request):
+    def render_OPTIONS(self, request: Request):
         """
         Alert as if it is a normal GET request, but return the expected content and headers.
         """
         _ = self.render_GET(request)
+        _check_and_add_cors_preflight_headers(request)
         request.setHeader("Allow", "OPTIONS, GET, POST")
         request.setResponseCode(200)
         request.responseHeaders.removeHeader("Content-Type")
@@ -206,6 +207,37 @@ def render_POST(self, request: Request):
             return self.render_GET(request)
 
 
+def _check_and_add_cors_preflight_headers(request):
+    """
+    According to https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request, we
+    should check for `Access-Control-Request-Method` and `Origin` and optionally,
+    `Access-Control-Request-Headers` headers to determine its a preflight request; and
+    respond with `Access-Control-Allow-Origin` and `Access-Control-Allow-Methods`.
+    """
+    if (
+        request.getHeader("Access-Control-Request-Method") is None
+        or request.getHeader("Origin") is None
+    ):
+        return
+
+    acr_headers = request.getHeader("Access-Control-Request-Headers")
+    if acr_headers is not None:
+        request.setHeader("Access-Control-Allow-Headers", acr_headers)
+
+    request.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"))
+    request.setHeader("Access-Control-Allow-Methods", "OPTIONS, GET, POST")
+
+
+# Request
+# Access-Control-Request-Method: DELETE
+# Access-Control-Request-Headers: origin, x-requested-with
+# Origin: https://foo.bar.org
+
+# Response
+# Access-Control-Allow-Origin: https://foo.bar.org
+# Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
+
+
 class ChannelHTTP:
     def __init__(
         self,
diff --git a/frontend/frontend.env.dist b/frontend/frontend.env.dist
index 218c11d83..94d0d21b3 100644
--- a/frontend/frontend.env.dist
+++ b/frontend/frontend.env.dist
@@ -3,9 +3,9 @@ CANARY_DOMAINS=127.0.0.1
 CANARY_NXDOMAINS=nx.127.0.0.1
 #CANARY_SWITCHBOARD_SETTINGS_PATH=
 
-CANARY_SENTRY_DSN="https://06a5bffddffd4d0f8a9b675ea82a5fb5@o1177763.ingest.sentry.io/6312922"
-CANARY_SENTRY_ENVIRONMENT=local
-CANARY_SENTRY_ENABLE=False
+#CANARY_SENTRY_DSN=
+#CANARY_SENTRY_ENVIRONMENT=local
+#CANARY_SENTRY_ENABLE=False
 
 # template configurations
 #CANARY_TEMPLATES_PATH=