From 2739020a5e591a42c19782e7aa4d4bd8abb3a7de Mon Sep 17 00:00:00 2001 From: Michal Faferek Date: Sat, 20 Jun 2026 21:03:48 +0200 Subject: [PATCH 1/3] fix(image): enable CORS for the documented web UI path The image ran with CORS off (no cors section -> empty allowed_origins), so the documented web-UI-next-to-gateway path failed with "Failed to fetch". Set allowed_origins: ["*"] in the Docker params; restrict origins / enable JWT auth for production. Closes #445 --- docker/gateway_docker_params.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docker/gateway_docker_params.yaml b/docker/gateway_docker_params.yaml index 160dbb66d..12ac981dd 100644 --- a/docker/gateway_docker_params.yaml +++ b/docker/gateway_docker_params.yaml @@ -7,3 +7,9 @@ ros2_medkit_gateway: host: "0.0.0.0" port: 8080 refresh_interval_ms: 2000 + # The web UI runs as a separate origin (its own host/port), so the + # documented "run the web UI next to the gateway" path needs CORS. Without + # it the browser gets "Failed to fetch". Restrict allowed_origins to your + # UI origin(s) and/or enable JWT auth for production. + cors: + allowed_origins: ["*"] From 6fab14afb5ec92af56ab8be17a62aa645524cb66 Mon Sep 17 00:00:00 2001 From: Michal Faferek Date: Sun, 21 Jun 2026 11:36:34 +0200 Subject: [PATCH 2/3] docs(docker): reflect the new permissive CORS image default The Docker params now enable CORS (allowed_origins: ["*"]) so the web UI works out of the box; update docker.rst, which still said CORS was disabled by default, and keep the production guidance to restrict origins. --- docs/tutorials/docker.rst | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/tutorials/docker.rst b/docs/tutorials/docker.rst index 61cbf9fb7..47b831f21 100644 --- a/docs/tutorials/docker.rst +++ b/docs/tutorials/docker.rst @@ -67,8 +67,10 @@ Test the gateway: Custom Configuration -------------------- -The default configuration listens on ``0.0.0.0:8080`` with CORS disabled. -To use a custom configuration, mount a params file: +The default configuration listens on ``0.0.0.0:8080``. CORS is enabled with a +permissive ``allowed_origins: ["*"]`` so the web UI works out of the box; +restrict it for production (see `CORS for Web UI`_ below). To use a custom +configuration, mount a params file: .. code-block:: bash @@ -211,8 +213,8 @@ For containers to discover each other's ROS 2 nodes, use the same ``ROS_DOMAIN_I CORS for Web UI --------------- -When the Web UI runs in a separate container or host, enable CORS in your -custom params file. CORS is disabled by default for production safety: +The image default allows all origins so the Web UI works out of the box. For +production, restrict ``allowed_origins`` to the specific UI origin(s): .. code-block:: yaml From 1a2e2b8b957f33b0c5de1bf97851095f49eedc53 Mon Sep 17 00:00:00 2001 From: Michal Faferek Date: Sun, 21 Jun 2026 11:42:57 +0200 Subject: [PATCH 3/3] fix(image): use explicit web UI origins, not wildcard CORS A wildcard origin with auth disabled and write methods enabled lets any site drive cross-origin POST/PUT/DELETE on a reachable gateway. Ship the default web UI origins (localhost:3000, localhost:5173) instead, so the documented UI path still works without exposing cross-origin writes. --- docker/gateway_docker_params.yaml | 10 +++++++--- docs/tutorials/docker.rst | 14 ++++++++------ 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/docker/gateway_docker_params.yaml b/docker/gateway_docker_params.yaml index 12ac981dd..1d4049a57 100644 --- a/docker/gateway_docker_params.yaml +++ b/docker/gateway_docker_params.yaml @@ -9,7 +9,11 @@ ros2_medkit_gateway: refresh_interval_ms: 2000 # The web UI runs as a separate origin (its own host/port), so the # documented "run the web UI next to the gateway" path needs CORS. Without - # it the browser gets "Failed to fetch". Restrict allowed_origins to your - # UI origin(s) and/or enable JWT auth for production. + # it the browser gets "Failed to fetch". These are the default web UI + # origins; a wildcard is deliberately NOT used - with auth disabled and + # write methods enabled it would let any site drive cross-origin writes. + # Add your own UI origin(s) here, and enable JWT auth for production. cors: - allowed_origins: ["*"] + allowed_origins: + - "http://localhost:3000" + - "http://localhost:5173" diff --git a/docs/tutorials/docker.rst b/docs/tutorials/docker.rst index 47b831f21..84c042e67 100644 --- a/docs/tutorials/docker.rst +++ b/docs/tutorials/docker.rst @@ -67,10 +67,10 @@ Test the gateway: Custom Configuration -------------------- -The default configuration listens on ``0.0.0.0:8080``. CORS is enabled with a -permissive ``allowed_origins: ["*"]`` so the web UI works out of the box; -restrict it for production (see `CORS for Web UI`_ below). To use a custom -configuration, mount a params file: +The default configuration listens on ``0.0.0.0:8080``. CORS is enabled for the +default web UI origins (``http://localhost:3000`` and ``http://localhost:5173``) +so the web UI works out of the box; add your own UI origin(s) as needed (see +`CORS for Web UI`_ below). To use a custom configuration, mount a params file: .. code-block:: bash @@ -213,8 +213,10 @@ For containers to discover each other's ROS 2 nodes, use the same ``ROS_DOMAIN_I CORS for Web UI --------------- -The image default allows all origins so the Web UI works out of the box. For -production, restrict ``allowed_origins`` to the specific UI origin(s): +The image enables CORS for the default web UI origins (``http://localhost:3000`` +and ``http://localhost:5173``). A wildcard is deliberately not used: with auth +disabled and write methods enabled it would let any site drive cross-origin +writes. Add your own UI origin(s): .. code-block:: yaml