In case of a separate deployment, security can be improved even further by configuring a
whitelist of valid Studio URLs in the preview CAE web
application. This is done via the pbe.studioUrlWhitelist
property in the
WEB-INF/application.properties
file of the preview
CAE web application. If left empty, all URLs are considered
valid.
In the opposite direction, it is possible to configure a whitelist of valid preview URLs in
Studio (including protocol, host and port). This is done via the
studio.previewUrlWhitelist
property in the
WEB-INF/application.properties
file of the Studio web application. If left empty,
the only valid preview URL is the one that is determined based on the
studio.previewUrlPrefix
property (that is, the given preview URL or the Studio URL
itself if a relative preview URL prefix is given). When configuring valid preview URLs it is
possible to use wildcards as in the following example:
studio.previewUrlWhitelist=https://host1:port1, https://host2:port2, http://localhost*, *company.com
Note, that once a preview URL whitelist is configured, CoreMedia Studio has no chance to set a target origin in outgoing messages anymore. Be aware that this is a minor security drawback.
In case of a separate deployment, enabling Elastic Social tenants in the embedded preview
requires including a placeholder in the aforementioned studio.previewUrlPrefix
key
of the property file WEB-INF/application.properties
. The CoreMedia Studio then
replaces the token with the current tenant. In a CoreMedia Blueprint related project, this
could be:
studio.previewUrlPrefix=http://{0}.localhost:40081/blueprint/servlet