refactor: apply cors

[Kavinjsir]

Description

1. Changes the CORS allowed origins for the local application from * to the default local HTTP URL (usually http://localhost:9009)
2. Adds a flag --allowed-origins to provide additional allowed origins

Example: Specifying an additional allowed origin

rill start --allowed-origins="http://rill.local"

Motivation

Resolve #5039

[Kavinjsir]

I think this PR is ready for review.
One concern left is CSP.
It looks the current one has well defined:
https://github.com/rilldata/rill/blob/v0.47.5/netlify.toml#L6-L14

Perhaps the only concern is ever want to drop unsafe-eval or unsafe-inline.
cc: @himadrisingh would you have some suggestions?

[himadrisingh]

We have third party dependencies which require unsafe-eval, unless we get them compliant with cso it would be difficult.

[Kavinjsir]

We have third party dependencies which require unsafe-eval, unless we get them compliant with cso it would be difficult.

@himadrisingh if vega is the mentioned one, it seems they have a resolution, I tried opening a PR for discussion at: #4784
#5376

[Kavinjsir]

We have third party dependencies which require unsafe-eval, unless we get them compliant with cso it would be difficult.

@himadrisingh if vega is the mentioned one, it seems they have a resolution, I tried opening a PR for discussion at: #4784 #5376

As @djbarnwal has already made great contribution and there has been an upstream PR for vega to review, I think we can deal with CSP later.

[himadrisingh]

Did we test it locally and see if it fixes the issue.

[Kavinjsir]

Did we test it locally and see if it fixes the issue.

@himadrisingh Yeah, here’s what I tested locally:

1. HOST A: ran the compiled rill CLI based on this PR with the following command:

go run ./cli start --verbose --debug <local-rill-project-path> --allowed-origins="http://localhost:3000" --allowed-origins="http://localhost:4000"

This sets the allowed origins to ["localhost:3000", "localhost:4000"].

2. HOST B: set up a simple HTTP server using:

python3 -m http.server 4003

With an HTML file like this:

<!DOCTYPE html>
<html>

<head>
  <title>
    CORS Test
  </title>
</head>

<body>
  <script>
    fetch("http://<HOST-A-IP>:9009/v1/instances/default?sensitive=true")
      .then(res => res.json())
      .then(data => console.log(data))
      .catch(err => console.error("Error: ", err));
  </script>
</body>

</html>

When the port of HOST B is set to 3000 or 4000, the script inside the HTML file successfully fetches results from the endpoint. For any other port value, it fails as expected.