From 25d5827e54823d91fc335678795f609cf97c27bd Mon Sep 17 00:00:00 2001
From: Kathryn Beaty <kathryn.beaty@voxmedia.com>
Date: Tue, 18 Jul 2023 13:58:06 -0400
Subject: [PATCH 1/3] add cors to oembed endpoint

---
 src/core/server/app/router/api/index.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/core/server/app/router/api/index.ts b/src/core/server/app/router/api/index.ts
index c09d0ace6a..24edb15801 100644
--- a/src/core/server/app/router/api/index.ts
+++ b/src/core/server/app/router/api/index.ts
@@ -1,3 +1,4 @@
+import cors from "cors";
 import express from "express";
 import passport from "passport";
 
@@ -95,6 +96,7 @@ export function createAPIRouter(app: AppOptions, options: RouterOptions) {
   router.get("/oembed", cspSiteMiddleware(app), oembedHandler(app));
   router.get(
     "/services/oembed",
+    cors(),
     commentEmbedWhitelisted(app),
     oembedProviderHandler(app)
   );

From d9cef98178851bcd8a47ef74f362747a85aa524c Mon Sep 17 00:00:00 2001
From: Kathryn Beaty <kathryn.beaty@voxmedia.com>
Date: Wed, 19 Jul 2023 09:09:16 -0400
Subject: [PATCH 2/3] update oembed cors options to delegate site

---
 .../app/middleware/commentEmbedWhitelisted.ts | 33 +++++++++++++++++--
 src/core/server/app/router/api/index.ts       |  3 +-
 2 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/src/core/server/app/middleware/commentEmbedWhitelisted.ts b/src/core/server/app/middleware/commentEmbedWhitelisted.ts
index 68c0f5c4fb..0ccb3732e7 100644
--- a/src/core/server/app/middleware/commentEmbedWhitelisted.ts
+++ b/src/core/server/app/middleware/commentEmbedWhitelisted.ts
@@ -1,8 +1,11 @@
-import { AppOptions } from "coral-server/app";
+import { CorsOptionsDelegate } from "cors";
+
+import { MongoContext } from "coral-server/data/context";
 import { retrieveComment } from "coral-server/models/comment";
 import { retrieveSite } from "coral-server/models/site";
-import { RequestHandler } from "coral-server/types/express";
+import { Request, RequestHandler } from "coral-server/types/express";
 
+import { AppOptions } from "..";
 import { getRequesterOrigin } from "../helpers";
 
 export const commentEmbedWhitelisted =
@@ -29,7 +32,10 @@ export const commentEmbedWhitelisted =
       if (siteID) {
         const site = await retrieveSite(mongo, tenant.id, siteID);
         if (site) {
-          const origin = getRequesterOrigin(req);
+          let origin: string | null | undefined = getRequesterOrigin(req);
+          if (!origin) {
+            origin = req.header("Origin");
+          }
           if (origin) {
             if (site.allowedOrigins.includes(origin)) {
               return next();
@@ -40,3 +46,24 @@ export const commentEmbedWhitelisted =
     }
     res.sendStatus(401);
   };
+
+/**
+ * Creates the options for the "cors" middleware which whitelists
+ * site origins for the single comment embed.
+ *
+ * @param mongo the database connection
+ * @returns CorsOptionsDelegate
+ */
+export function createCommentEmbedCorsOptionsDelegate(
+  mongo: MongoContext
+): CorsOptionsDelegate {
+  return async (req: Request, callback) => {
+    const originHeader = req.header("Origin");
+    const tenantID = req.coral.tenant?.id;
+    if (!originHeader || !tenantID) {
+      callback(null, { origin: false }); // disable CORS for this request
+      return;
+    }
+    callback(null, { origin: true });
+  };
+}
diff --git a/src/core/server/app/router/api/index.ts b/src/core/server/app/router/api/index.ts
index 24edb15801..34bc5793c8 100644
--- a/src/core/server/app/router/api/index.ts
+++ b/src/core/server/app/router/api/index.ts
@@ -13,6 +13,7 @@ import {
   authenticate,
   commentEmbedWhitelisted,
   corsWhitelisted,
+  createCommentEmbedCorsOptionsDelegate,
   cspSiteMiddleware,
   JSONErrorHandler,
   jsonMiddleware,
@@ -96,8 +97,8 @@ export function createAPIRouter(app: AppOptions, options: RouterOptions) {
   router.get("/oembed", cspSiteMiddleware(app), oembedHandler(app));
   router.get(
     "/services/oembed",
-    cors(),
     commentEmbedWhitelisted(app),
+    cors(createCommentEmbedCorsOptionsDelegate(app.mongo)),
     oembedProviderHandler(app)
   );
   router.get(

From da377477c6c4e2d32470dd5b0262d672079afa3d Mon Sep 17 00:00:00 2001
From: Tessa Thornton <tessathornton@gmail.com>
Date: Wed, 19 Jul 2023 14:30:12 -0400
Subject: [PATCH 3/3] bump to 8.4.2

---
 package-lock.json | 4 ++--
 package.json      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 3897d7ef5c..a1cc0cb83e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@coralproject/talk",
-  "version": "8.4.1",
+  "version": "8.4.2",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "@coralproject/talk",
-      "version": "8.4.1",
+      "version": "8.4.2",
       "license": "Apache-2.0",
       "dependencies": {
         "@ampproject/toolbox-cache-url": "^2.9.0",
diff --git a/package.json b/package.json
index 6044050cd4..f74b7a2237 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@coralproject/talk",
-  "version": "8.4.1",
+  "version": "8.4.2",
   "author": "The Coral Project",
   "homepage": "https://coralproject.net/",
   "sideEffects": [