Add as-restful support for TDX-based Open-webui #826
Conversation
[Background]: We are working on a Confidential AI project(https://github.com/intel/confidential-computing-zoo/tree/main/cczoo/confidential_ai),which is built based-on TDX + Open-webui. We will leverage attestation service (restful api) in trustee to do the attestation related work. Open-webui(https://github.com/open-webui/open-webui) is an open-sourced project which provide a webui for AI services. [Issue] When Open-webui tries to access as via http, it will show below error message: Access to XMLHttpRequest at 'http://xxxx:8080/attestation' from origin 'http://xxxx:18080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status. [Fix] Add CORS policy to permit the access from open-webui request. Signed-off-by: RodgerZhu <[email protected]>
There was a problem hiding this comment.
Thanks for the new feature and nice to hear that other projects are integrating CoCoAS now @RodgerZhu ! Some design considerations. Also, let's make the CI happy
| @@ -65,6 +65,7 @@ tokio.workspace = true | |||
| tonic = { workspace = true, optional = true } | |||
| uuid = { version = "1.1.2", features = ["v4"] } | |||
| verifier = { path = "../deps/verifier", default-features = false } | |||
| actix-cors = "0.7" | |||
There was a problem hiding this comment.
Let's reorder it with alphabet order. And we can use
| actix-cors = "0.7" | |
| actix-cors = { version = "0.7", optional = true } |
and enable this dependency only when we are building restful-as (the front)
restful-bin = ["actix-cors", "actix-web/openssl", "clap", "env_logger"]| @@ -96,7 +97,9 @@ async fn main() -> Result<(), RestfulError> { | |||
|
|
|||
| let attestation_service = web::Data::new(Arc::new(RwLock::new(attestation_service))); | |||
| let server = HttpServer::new(move || { | |||
| let cors = Cors::permissive(); | |||
There was a problem hiding this comment.
The official document says permissive(): All origins, methods, request headers and exposed headers allowed. (Not recommended for production use.)
It would be a good choice to add a parameter for restful named --allowed-origin or something similar to set manually when launching. If this parameter is not given, we fully forbid oras.
The reference of parameter definition is here
There was a problem hiding this comment.
agree with @Xynnn007. Cors::permissive() is not a proper fix.
[Background]:
We are working on a Confidential AI project(https://github.com/intel/confidential-computing-zoo/tree/main/cczoo/confidential_ai),which is built based-on TDX + Open-webui. We will leverage attestation service (restful api) in trustee to do the attestation related work. Open-webui(https://github.com/open-webui/open-webui) is an open-sourced project which provide a webui for AI services.
[Issue]
When Open-webui tries to access as via http, it will show below error message:
Access to XMLHttpRequest at 'http://xxxx:8080/attestation' from origin 'http://xxxx:18080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
[Fix]
Add CORS policy to permit the access from open-webui request.