Give CORS setting its own env var

backend/.env.example

@@ -9,6 +9,8 @@ SENDGRID_API_KEY="optional, but emails won't send without it"
 
 # set this so third-party cookie blocking doesn't kill backend sessions (production)
 # SESSION_COOKIE_DOMAIN="zfnd.org"
+# Limit CORS to these domains, no spaces in seperators. Defaults to '*'.
+# CORS_DOMAINS="domain.com,domain2.com"
 
 # SENTRY_DSN="https://PUBLICKEY@sentry.io/PROJECTID"
 # SENTRY_RELEASE="optional, provides sentry logging with release info"

backend/grant/app.py

@@ -12,7 +12,7 @@ from sentry_sdk.integrations.flask import FlaskIntegration
 from sentry_sdk.integrations.logging import LoggingIntegration
 from grant import commands, proposal, user, comment, milestone, admin, email, blockchain, task, rfp, e2e
 from grant.extensions import bcrypt, migrate, db, ma, security, limiter
-from grant.settings import SENTRY_RELEASE, ENV, E2E_TESTING, DEBUG, SESSION_COOKIE_DOMAIN
+from grant.settings import SENTRY_RELEASE, ENV, E2E_TESTING, DEBUG, CORS_DOMAINS
 from grant.utils.auth import AuthException, handle_auth_error, get_authed_user
 from grant.utils.exceptions import ValidationException
 
@@ -121,7 +121,7 @@ def register_extensions(app):
     security.init_app(app, datastore=user_datastore, register_blueprint=False)
 
     # supports_credentials for session cookies, on cookie domains (if set)
-    origins = [SESSION_COOKIE_DOMAIN] if SESSION_COOKIE_DOMAIN else '*'
+    origins = CORS_DOMAINS.split(',')
     CORS(app, supports_credentials=True, expose_headers='X-Grantio-Authed', origins=origins)
     SSLify(app)
     return None

backend/grant/settings.py

@@ -29,6 +29,7 @@ SQLALCHEMY_TRACK_MODIFICATIONS = False
 
 # so backend session cookies are first-party
 SESSION_COOKIE_DOMAIN = env.str('SESSION_COOKIE_DOMAIN', default=None)
+CORS_DOMAINS = env.str('CORS_DOMAINS', default='*')
 
 SENDGRID_API_KEY = env.str("SENDGRID_API_KEY", default="")
 SENDGRID_DEFAULT_FROM = "noreply@grants.zfnd.org"