Context
The HTTP endpoints moq-cli serves apply a fully-permissive CORS layer:
router.layer(CorsLayer::new().allow_origin(Any).allow_methods(Any).allow_headers(Any))
- WHIP/WHEP (rtc) listener:
rs/moq-cli/src/rtc.rs (serve)
- HLS export listener:
rs/moq-cli/src/hls.rs (export)
Raised by CodeRabbit on #1985 (thread: #1985 (comment)).
The concern
allow_origin(Any) on the WHIP/WHEP control routes means any website can drive a localhost or public listener from the browser, turning the gateway into a cross-site callable service. Same permissiveness on the HLS listener.
Why it's Any today
Browser WHIP/WHEP and HLS playback are cross-origin by nature (the player is usually served from a different origin than the gateway), so permissive CORS is the convenient default for a dev/gateway tool. But an operator running a public listener should be able to lock it down, and we currently give them no knob.
Proposal
Add a server-side flag to configure CORS on these HTTP listeners, e.g.:
--cors-origin <ORIGIN> (repeatable) — allowlist specific origins; when set, drop Any.
- default: keep permissive (dev-friendly) or flip the default to no CORS and require opt-in — TBD, an API-design call.
- consider narrowing
allow_methods to the WHIP/WHEP set (POST, PATCH, DELETE, OPTIONS) + HLS (GET) rather than Any, independent of origin.
Applies to the hls export and rtc (WHIP/WHEP) listeners; possibly also the moq-native --server-bind web/cert-fingerprint server, which should share one CORS policy.
Out of scope for #1985
#1985 keeps the current Any behavior (it mirrors the pre-existing HLS export CORS); this issue tracks making it configurable.
(Filed by Claude Opus 4.8)
Context
The HTTP endpoints moq-cli serves apply a fully-permissive CORS layer:
rs/moq-cli/src/rtc.rs(serve)rs/moq-cli/src/hls.rs(export)Raised by CodeRabbit on #1985 (thread: #1985 (comment)).
The concern
allow_origin(Any)on the WHIP/WHEP control routes means any website can drive a localhost or public listener from the browser, turning the gateway into a cross-site callable service. Same permissiveness on the HLS listener.Why it's
AnytodayBrowser WHIP/WHEP and HLS playback are cross-origin by nature (the player is usually served from a different origin than the gateway), so permissive CORS is the convenient default for a dev/gateway tool. But an operator running a public listener should be able to lock it down, and we currently give them no knob.
Proposal
Add a server-side flag to configure CORS on these HTTP listeners, e.g.:
--cors-origin <ORIGIN>(repeatable) — allowlist specific origins; when set, dropAny.allow_methodsto the WHIP/WHEP set (POST,PATCH,DELETE,OPTIONS) + HLS (GET) rather thanAny, independent of origin.Applies to the
hlsexport andrtc(WHIP/WHEP) listeners; possibly also the moq-native--server-bindweb/cert-fingerprint server, which should share one CORS policy.Out of scope for #1985
#1985 keeps the current
Anybehavior (it mirrors the pre-existing HLS export CORS); this issue tracks making it configurable.(Filed by Claude Opus 4.8)