Disable `cors` in `LTIService` (#307)

tl-its-umich-edu / canvas-course-manager-next

Canvas Course Manager Next: A redesign of the existing CCM application. It extends Canvas features, makes cumbersome features easier to use, and adds new features.

8 stars 9 forks source link

Disable `cors` in `LTIService` (#307) #308

Closed ssciolla closed 2 years ago

ssciolla commented 2 years ago

The PR aims to resolve #307.

Notes:

I'm requesting reviews from the entire development team, as this is a minuscule code change and others may have expertise regarding LTI and web security to contribute. See issue for details.

ssciolla commented 2 years ago

Merging, so we can test with a deployment.

pushyamig commented 2 years ago

I will QA this

pushyamig commented 2 years ago

I did not see any LTI launch oddities when changing cors to false/true. I tested this from multiple browser (Chrome, Edge) and things seems to be fine.

I think we can make it cors toggle as configurable. But I don't think it is needed based on my testing.