From 5a1044ddae5a5f110263b9c464f576384d533036 Mon Sep 17 00:00:00 2001 From: Tom Wheeler Date: Tue, 13 Aug 2024 10:59:53 -0500 Subject: [PATCH 1/4] Disabled origin check in Svelte configuration This change allows the web application to access the API servers in GitPod --- svelte.config.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/svelte.config.js b/svelte.config.js index f94eeef..21376d3 100644 --- a/svelte.config.js +++ b/svelte.config.js @@ -6,7 +6,10 @@ const config = { preprocess: vitePreprocess(), kit: { - adapter: adapter() + adapter: adapter(), + csrf: { + checkOrigin: false, + } } }; From d6cb3684380d9aecdbdc97ee57d827aaef806520 Mon Sep 17 00:00:00 2001 From: Tom Wheeler Date: Tue, 13 Aug 2024 11:24:28 -0500 Subject: [PATCH 2/4] Update README.md to explain PR #6 --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 51ef451..da68a2e 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,10 @@ pnpm dev This starts a local server. You can navigate to http://127.0.0.1:5173/ to view the web application. +NOTE: As a workaround for deployment to [GitPod|https://gitpod.io/], in which the domain of each application +container is assigned dynamically, this application [disables the CSRF origin check](https://github.com/temporalio/reference-app-orders-web/blob/5a1044ddae5a5f110263b9c464f576384d533036/svelte.config.js#L10-L12). [Pull request #6](https://github.com/temporalio/reference-app-orders-web/pull/5) describes this in more detail, and we recommend reinstating this origin check for improved security in a +real-world deployment. + ## Building the Web Application From b6b3c9fd4f96459ca76243a3d672a89284b3d06b Mon Sep 17 00:00:00 2001 From: Tom Wheeler Date: Tue, 13 Aug 2024 11:25:06 -0500 Subject: [PATCH 3/4] Fixed link syntax --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index da68a2e..7b23827 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ pnpm dev This starts a local server. You can navigate to http://127.0.0.1:5173/ to view the web application. -NOTE: As a workaround for deployment to [GitPod|https://gitpod.io/], in which the domain of each application +NOTE: As a workaround for deployment to [GitPod](https://gitpod.io/), in which the domain of each application container is assigned dynamically, this application [disables the CSRF origin check](https://github.com/temporalio/reference-app-orders-web/blob/5a1044ddae5a5f110263b9c464f576384d533036/svelte.config.js#L10-L12). [Pull request #6](https://github.com/temporalio/reference-app-orders-web/pull/5) describes this in more detail, and we recommend reinstating this origin check for improved security in a real-world deployment. From ecfb8c39cb621337195eb5e0e1ce7ff52a56e4d2 Mon Sep 17 00:00:00 2001 From: Tom Wheeler Date: Tue, 13 Aug 2024 11:25:37 -0500 Subject: [PATCH 4/4] corrected link target --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7b23827..e487b3c 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ pnpm dev This starts a local server. You can navigate to http://127.0.0.1:5173/ to view the web application. NOTE: As a workaround for deployment to [GitPod](https://gitpod.io/), in which the domain of each application -container is assigned dynamically, this application [disables the CSRF origin check](https://github.com/temporalio/reference-app-orders-web/blob/5a1044ddae5a5f110263b9c464f576384d533036/svelte.config.js#L10-L12). [Pull request #6](https://github.com/temporalio/reference-app-orders-web/pull/5) describes this in more detail, and we recommend reinstating this origin check for improved security in a +container is assigned dynamically, this application [disables the CSRF origin check](https://github.com/temporalio/reference-app-orders-web/blob/5a1044ddae5a5f110263b9c464f576384d533036/svelte.config.js#L10-L12). [Pull request #6](https://github.com/temporalio/reference-app-orders-web/pull/6) describes this in more detail, and we recommend reinstating this origin check for improved security in a real-world deployment.