Skip to content

fix(image): enable CORS for the documented web UI path#452

Merged
mfaferek93 merged 3 commits into
mainfrom
fix/445-image-cors-default
Jun 21, 2026
Merged

fix(image): enable CORS for the documented web UI path#452
mfaferek93 merged 3 commits into
mainfrom
fix/445-image-cors-default

Conversation

@mfaferek93

@mfaferek93 mfaferek93 commented Jun 20, 2026

Copy link
Copy Markdown
Collaborator

The Docker params file has no cors section, so the image runs with CORS off (empty allowed_origins). The documented path of running the web UI next to the gateway then fails: the UI is a separate origin and every request returns "Failed to fetch".

This sets cors.allowed_origins: ["*"] in docker/gateway_docker_params.yaml. The gateway echoes the request origin (not a literal *) and blocks credentials+wildcard at startup; allow_credentials defaults false, so this is safe by default. Restrict origins / enable JWT auth for production.

Verified: gateway started with this params file logs CORS enabled - origins: [*], ... credentials: false, and curl -H "Origin: http://localhost:3001" .../api/v1/health returns Access-Control-Allow-Origin: http://localhost:3001.

Closes #445

@mfaferek93
fix(image): enable CORS for the documented web UI path
2739020 
The image ran with CORS off (no cors section -> empty allowed_origins),
so the documented web-UI-next-to-gateway path failed with "Failed to
fetch". Set allowed_origins: ["*"] in the Docker params; restrict
origins / enable JWT auth for production.

Closes #445
Copilot AI review requested due to automatic review settings June 20, 2026 19:03
Copilot AI reviewed Jun 20, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Enables CORS in the Docker image’s default ROS params so the separately-hosted ros2_medkit_web_ui can call the gateway API without browser cross-origin failures, aligning the container “quick start” with the documented UI workflow.

Changes:

  • Add a cors section to the Docker default params file.
  • Configure cors.allowed_origins to allow cross-origin browser requests by default.

Comment thread docker/gateway_docker_params.yaml Outdated
Comment thread docker/gateway_docker_params.yaml Outdated
@mfaferek93 mfaferek93 self-assigned this Jun 20, 2026
bburda
bburda reviewed Jun 20, 2026
View reviewed changes
Comment thread docker/gateway_docker_params.yaml Outdated
@mfaferek93
docs(docker): reflect the new permissive CORS image default
6fab14a 
The Docker params now enable CORS (allowed_origins: ["*"]) so the web UI
works out of the box; update docker.rst, which still said CORS was
disabled by default, and keep the production guidance to restrict origins.
@mfaferek93
fix(image): use explicit web UI origins, not wildcard CORS
1a2e2b8 
A wildcard origin with auth disabled and write methods enabled lets any
site drive cross-origin POST/PUT/DELETE on a reachable gateway. Ship the
default web UI origins (localhost:3000, localhost:5173) instead, so the
documented UI path still works without exposing cross-origin writes.
@mfaferek93 mfaferek93 merged commit a4ef064 into main Jun 21, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bburda bburda bburda approved these changes

Assignees

@mfaferek93 mfaferek93

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Default CORS blocks the documented web UI path (image runs CORS off)

3 participants

@mfaferek93 @bburda