Fix bug causing CORS to accept all origins by default (#1134)

CHANGELOG.md

@@ -2,8 +2,26 @@
 
 Canonical reference for changes, improvements, and bugfixes for Boundary.
 
+## Next
+
+### Bug Fixes
+
+* cors: Fix allowing all origins by default
+  [PR](https://github.com/hashicorp/boundary/pull/1134)
+
 ## 0.2.0 (2021/04/14)
 
+### Known Issues
+
+* By default, CORS support will allow all origins. This is due to a bug in how
+  the set of allowed origins was processed, in conjunction with changes to CORS
+  behavior to automatically include the origin of the Desktop Client. This will
+  be fixed in 0.2.1. In the meantime, this can be worked around by either
+  explicitly disabing CORS with `cors_enabled = false` in the `listener` config
+  block with purpose `api`; or setting an `allowed_origins` field to have values
+  other than `serve://boundary` (including values that do not map to any real
+  origin).
+
 ### Deprecations/Changes
 
 * The `auth-methods/<id>:authenticate:login` action is deprecated and will be

internal/servers/controller/cors_test.go

@@ -142,6 +142,13 @@ func TestHandler_CORS(t *testing.T) {
 			code:        http.StatusOK,
 			listenerNum: 3,
 		},
+		{
+			name:        "enabled with allowed origins and desktop origin",
+			method:      http.MethodPost,
+			origin:      "serve://boundary",
+			code:        http.StatusOK,
+			listenerNum: 3,
+		},
 		{
 			name:        "enabled with wildcard origins and no origin defined",
 			method:      http.MethodPost,

internal/servers/controller/handler.go

@@ -283,9 +283,7 @@ func wrapHandlerWithCors(h http.Handler, props HandlerProperties) http.Handler {
 		case len(allowedOrigins) == 0:
 			// not valid
 
-		case len(allowedOrigins) == 1 &&
-			(allowedOrigins[0] == "*" ||
-				allowedOrigins[0] == "serve://boundary"):
+		case len(allowedOrigins) == 1 && allowedOrigins[0] == "*":
 			valid = true
 
 		default: