Hello everyone.
We have some news regarding to CORS filter configuration changes in 6.16.
In Che 6.16 we plan to upgrade Tomcat from 8.5.23 to 8.5.35. This however will require us to update our CORS filter configuration for Che WS Master and WS agent, since it would not allow our current CORS configuration which is deemed to be unsecure.
This is the configuration that will be applied for Che CORS filters in Che 6.16:
- WS Master - CORS Filter disabled
- WS Agent - CORS Filter enabled, allowing requests with credentials, providing Domain of WS Master as an allowed origin
We encourage you to try this configuration in 6.15 version to see if it works for your Che installation.
Here are the steps to enable this configuration, using following environment variables for Che deployment:
1) `CHE_CORS_ENABLED=false` - disable CORS on WS Master.
2) `CHE_WSAGENT_CORS_ALLOWED__ORIGINS=<wsmaster-domain>` - set the default allowed origin of WS Agent CORS pointing to Domain of WS Master (replace `<wsmaster-domain>` with actual WS master domain )
If you discover an regression related to this configuration (for example, certain cross origin requests are not working in your Che installation).
Please reach out to us describing the issues you have, so we may address them before Che 6.16 release.
--
