Skip to content

moq-cli: make CORS on the HLS / WHIP-WHEP HTTP listeners configurable #1986

Description

@kixelated

Context

The HTTP endpoints moq-cli serves apply a fully-permissive CORS layer:

router.layer(CorsLayer::new().allow_origin(Any).allow_methods(Any).allow_headers(Any))
  • WHIP/WHEP (rtc) listener: rs/moq-cli/src/rtc.rs (serve)
  • HLS export listener: rs/moq-cli/src/hls.rs (export)

Raised by CodeRabbit on #1985 (thread: #1985 (comment)).

The concern

allow_origin(Any) on the WHIP/WHEP control routes means any website can drive a localhost or public listener from the browser, turning the gateway into a cross-site callable service. Same permissiveness on the HLS listener.

Why it's Any today

Browser WHIP/WHEP and HLS playback are cross-origin by nature (the player is usually served from a different origin than the gateway), so permissive CORS is the convenient default for a dev/gateway tool. But an operator running a public listener should be able to lock it down, and we currently give them no knob.

Proposal

Add a server-side flag to configure CORS on these HTTP listeners, e.g.:

  • --cors-origin <ORIGIN> (repeatable) — allowlist specific origins; when set, drop Any.
  • default: keep permissive (dev-friendly) or flip the default to no CORS and require opt-in — TBD, an API-design call.
  • consider narrowing allow_methods to the WHIP/WHEP set (POST, PATCH, DELETE, OPTIONS) + HLS (GET) rather than Any, independent of origin.

Applies to the hls export and rtc (WHIP/WHEP) listeners; possibly also the moq-native --server-bind web/cert-fingerprint server, which should share one CORS policy.

Out of scope for #1985

#1985 keeps the current Any behavior (it mirrors the pre-existing HLS export CORS); this issue tracks making it configurable.

(Filed by Claude Opus 4.8)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions