diff --git a/CHANGELOG.md b/CHANGELOG.md index 47325522b72f..d45704258035 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -131,6 +131,7 @@ if input key is empty, or input data contains empty key. ### Improvements +* (gRPC-Web) [\#9493](https://github.com/cosmos/cosmos-sdk/pull/9493) Add `EnableUnsafeCORS` flag to grpc-web config. * (store) [\#9403](https://github.com/cosmos/cosmos-sdk/pull/9403) Add `RefundGas` function to `GasMeter` interface * (baseapp, types) [\#9390](https://github.com/cosmos/cosmos-sdk/pull/9390) Add current block header hash to `Context` * (x/staking) [\#9423](https://github.com/cosmos/cosmos-sdk/pull/9423) Staking delegations now returns empty list instead of rpc error when no records found. diff --git a/server/config/config.go b/server/config/config.go index 8f1c47e88d2c..907e64a63490 100644 --- a/server/config/config.go +++ b/server/config/config.go @@ -140,6 +140,9 @@ type GRPCWebConfig struct { // Address defines the gRPC-web server to listen on Address string `mapstructure:"address"` + + // EnableUnsafeCORS defines if CORS should be enabled (unsafe - use it at your own risk) + EnableUnsafeCORS bool `mapstructure:"enable-unsafe-cors"` } // StateSyncConfig defines the state sync snapshot configuration. @@ -297,8 +300,9 @@ func GetConfig(v *viper.Viper) Config { Address: v.GetString("grpc.address"), }, GRPCWeb: GRPCWebConfig{ - Enable: v.GetBool("grpc-web.enable"), - Address: v.GetString("grpc-web.address"), + Enable: v.GetBool("grpc-web.enable"), + Address: v.GetString("grpc-web.address"), + EnableUnsafeCORS: v.GetBool("grpc-web.enable-unsafe-cors"), }, StateSync: StateSyncConfig{ SnapshotInterval: v.GetUint64("state-sync.snapshot-interval"), diff --git a/server/config/toml.go b/server/config/toml.go index 88197defe91b..d2eb2601e911 100644 --- a/server/config/toml.go +++ b/server/config/toml.go @@ -184,6 +184,9 @@ enable = {{ .GRPCWeb.Enable }} # Address defines the gRPC-web server address to bind to. address = "{{ .GRPCWeb.Address }}" +# EnableUnsafeCORS defines if CORS should be enabled (unsafe - use it at your own risk). +enable-unsafe-cors = {{ .GRPCWeb.EnableUnsafeCORS }} + ############################################################################### ### State Sync Configuration ### ############################################################################### diff --git a/server/grpc/grpc_web.go b/server/grpc/grpc_web.go index 67dc4364a80f..593779835a78 100644 --- a/server/grpc/grpc_web.go +++ b/server/grpc/grpc_web.go @@ -11,7 +11,16 @@ import ( // StartGRPCWeb starts a gRPC-Web server on the given address. func StartGRPCWeb(grpcSrv *grpc.Server, config config.Config) (*http.Server, error) { - wrappedServer := grpcweb.WrapServer(grpcSrv) + var options []grpcweb.Option + if config.GRPCWeb.EnableUnsafeCORS { + options = append(options, + grpcweb.WithOriginFunc(func(origin string) bool { + return true + }), + ) + } + + wrappedServer := grpcweb.WrapServer(grpcSrv, options...) handler := func(resp http.ResponseWriter, req *http.Request) { wrappedServer.ServeHTTP(resp, req) }