bird-house · mishaschwartz · Nov 12, 2025 · Oct 20, 2025 · Oct 21, 2025 · Oct 27, 2025
@@ -15,7 +15,56 @@
 [Unreleased](https://github.com/bird-house/birdhouse-deploy/tree/master) (latest)
 ------------------------------------------------------------------------------------------------------------------
 
-[//]: # (list changes here, using '-' for each new entry, remove this when items are added)
+## Changes
+
+- Allow each service to specify values for `Access-Control-Allow-Origin`
+
+  Previously, if a `location` block in the `nginx` configuration for a given service included the cors helper
+  configuration (with `include /etc/nginx/conf.d/cors.include;`) then all origins were allowed by default.
+
+  This was done by setting the header `Access-Control-Allow-Origin: *` which works well but is a bit too permissive
+  since it allowed __all__ origins.
+
+  This change introduces a mechanism to specify specific additional allowed origins by setting the 
+  `$access_control_allow_origin` nginx variable in the `location` block before including the `cors.include` file.
+
+  For example:
+
+  ```
+  set $access_control_allow_origin http://example.com;
+  include /etc/nginx/conf.d/cors.include;
+  ```
+
+  will set the value of the `Access-Control-Allow-Origin` response header to `http://example.com`.
+
+  By default, the header value will be `*` if `$access_control_allow_origin` is not set (to maintain backwards
+  compatibility).
+
+  To specify multiple allowed origins, use a `map` directive (see the implementation for `components/stac` for an
+  example).
+
+- Set allowed CORS origins for `stac` through an environment variable
+
+  This change implements this flexibility for the `components/stac` component. By setting the `STAC_CORS_ORIGINS`
+  variable a user can specify allowed origins for responses from the `components/stac` component.
+
+  For example, setting the following:
+
+  ```
+  export STAC_CORS_ORIGINS='https://example.com ~^https?://(www\.)?other\.example\.com$' 
+  ```
+
+  then requests from https://example.com and http://other.example.com will get a response with the 
+  `Access-Control-Allow-Origin header` set to their origin, but http://example.ca will not.
+
+  Note that this breaks backwards compatibility slightly since previously all origins were allowed for `/stac` by
+  default. To keep the backwards compatible behaviour you can set:
+
+  ```
+  export STAC_CORS_ORIGINS='~.*' 
+  ```
+
+  to match all origins.
 
 [2.18.7](https://github.com/bird-house/birdhouse-deploy/tree/2.18.7) (2025-10-17)
 ------------------------------------------------------------------------------------------------------------------

@@ -1,7 +1,11 @@
       proxy_hide_header 'Access-Control-Allow-Origin';
 
+     if ( $access_control_allow_origin ~ "^$" ) {
+        set $access_control_allow_origin '*';
+     }
+
      if ($request_method = 'OPTIONS') {
-        add_header 'Access-Control-Allow-Origin' '*';
+        add_header 'Access-Control-Allow-Origin' $access_control_allow_origin;
         add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
         #
         # Custom headers and headers various browsers *should* be OK with but aren't
@@ -16,13 +20,13 @@
         return 204;
      }
      if ($request_method = 'POST') {
-        add_header 'Access-Control-Allow-Origin' '*';
+        add_header 'Access-Control-Allow-Origin' $access_control_allow_origin;
         add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
         add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
         add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
      }
      if ($request_method = 'GET') {
-        add_header 'Access-Control-Allow-Origin' '*';
+        add_header 'Access-Control-Allow-Origin' $access_control_allow_origin;
         add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
         add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
         add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';

@@ -14,6 +14,8 @@ map $http_x_forwarded_proto $real_scheme {
   ''      $scheme;
 }
 
+include /etc/nginx/conf.extra-directives.d/*/*.conf;
+
 server {
     listen       80 ${PROXY_LISTEN_80_PARAMS};
     server_name  localhost;

diff --git a/birdhouse/components/stac-browser/default.env b/birdhouse/components/stac-browser/default.env
@@ -24,6 +24,10 @@ export STAC_BROWSER_IMAGE_URI='${STAC_BROWSER_IMAGE}'
 #   - https://github.com/radiantearth/stac-browser/blob/main/docs/docker.md
 export STAC_BROWSER_PATH_PREFIX='/stac-browser/'
 
+# Allows requests from https://geojson.io to access the /stac endpoint according to the CORS headers.
+# See components/stac/default.env for more information.
+export STAC_CORS_ORIGINS='https://geojson.io'
+
 export DELAYED_EVAL="
   $DELAYED_EVAL
   STAC_BROWSER_IMAGE

@@ -1,4 +1,5 @@
 config/magpie/config.yml
 config/proxy/conf.extra-service.d/stac.conf
+config/proxy/conf.extra-directives.d/stac.conf
 config/canarie-api/canarie_api_monitoring.py
 service-config.json
@@ -0,0 +1,7 @@
+    map $http_origin $stac_origin_allowed {
+        # default should not be set to the empty string because the cors.include file will interpret
+        # that as "unset" and will change it to * by default. To get around this, set this to birdhouse's
+        # own origin (which has the same effect as being unset since same-origin requests are already allowed). 
+        default ${BIRDHOUSE_PROXY_SCHEME}://${BIRDHOUSE_FQDN_PUBLIC};
+        ${STAC_ADDITIONAL_CORS_ORIGINS}
+    }
@@ -9,7 +9,9 @@
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Host $host:$server_port;
         proxy_buffering off;
+        set $access_control_allow_origin $stac_origin_allowed;
         include /etc/nginx/conf.d/cors.include;
+        add_header Vary Origin;
     }
 
     # Automatically redirect to /stac/stac and exclude redirect when already using /stac 

@@ -3,3 +3,4 @@ services:
     volumes:
       - ./components/stac/service-config.json:/static/services/stac.json:ro
       - ./components/stac/config/proxy/conf.extra-service.d:/etc/nginx/conf.extra-service.d/stac:ro
+      - ./components/stac/config/proxy/conf.extra-directives.d:/etc/nginx/conf.extra-directives.d/stac:ro
@@ -45,6 +45,15 @@ export STAC_POPULATOR_BACKUP_IMAGE='${STAC_POPULATOR_BACKUP_DOCKER}:${STAC_POPUL
 # This must match the "stac_version" value in the current STAC catalog.
 export PYSTAC_STAC_VERSION_OVERRIDE=1.0.0
 
+# Add additional origins that are allowed to access the /stac endpoint (other than the same origin) according to CORS rules. 
+# The values in the space delimited list set by STAC_CORS_ORIGINS are origins that will be allowed to access responses
+# from /stac. These values can either be strings which will be matched directly or regular expressions prefixed by ~.
+#
+# For example, if STAC_CORS_ORIGINS='https://example.com ~^https?://(www\.)?other\.example\.com$' then requests from
+# https://example.com and http://other.example.com will get a response with the Access-Control-Allow-Origin header set
+# to their origin, but http://example.ca will not.
+export STAC_ADDITIONAL_CORS_ORIGINS='$(for origin in $STAC_CORS_ORIGINS; do echo "$origin \$http_origin;"; done;)'
+
 # add any new variables not already in 'VARS' or 'OPTIONAL_VARS' that must be replaced in templates here
 # single quotes are important in below list to keep variable names intact until 'birdhouse-compose' parses them
 EXTRA_VARS='
@@ -71,6 +80,7 @@ export DELAYED_EVAL="
   STAC_MIGRATION_DOCKER
   STAC_MIGRATION_IMAGE
   STAC_POPULATOR_BACKUP_IMAGE
+  STAC_ADDITIONAL_CORS_ORIGINS
 "
 
 OPTIONAL_VARS="
@@ -86,4 +96,6 @@ OPTIONAL_VARS="
   \$STAC_MIGRATION_TAGGED
   \$STAC_MIGRATION_DOCKER
   \$STAC_MIGRATION_IMAGE
+  \$STAC_ADDITIONAL_CORS_ORIGINS
+  \$STAC_CORS_ORIGIN_ALLOW_ALL
 "