Netlify DNS - Deploy Preview and Branch Deploys

Hello!

We have a couple of front end projects we’d like to migrate to Netlify.
The problem is that our API has a CORS policy that only allows requests from specific domains, therefore we can’t use features such as deploy previews because the requests would come from deploy-preview-****.netlify.com.

Adding the Netlify domain to our CORS policy is not an option, since it is not secure.

Our solution for this problem would be to purchase another domain through Netlify’s DNS (e.g. ourdomain.com) and add it to our CORS policy. Its sole purpose would be branch deploys and deploy previews for all sites in our account.

However, we’d like to keep different “Primary domain” and “Domain alias” as the domains for production branches of each site (currently set to custom domains that are managed in another domain registrar).

Would all deploy previews and branch deploys, for all sites in our account, be available though this purchased domain (i.e. deploy-preview-****.ourdomain.com)?

Hi @Cobli_Tech,

Deploy Previews will always be on the *.netlify.com domain, but branch deploys can have subdomains on your own custom domain. Can you dynamically set the value of Access-Control-Allow-Origin so that anything that any domain that ends in your-netlify-subdomain.netlify.com is allowed? That would be the simplest path.

Thats totally insecure. I mean anyone can make a second app with attack-your-netlify-subdomain.netlify.com, right? Any code executed there could then access the API. I have the same problem for rerouting users after login with auth0 to https://preview-234-my-app.netlify.com/callback. I could allow https://*-my-app.netlify.com/callback as a redirect url but then someone can setup https://attack-my-app.netlify.com to phish my users access tokens…

You need to enable branch deploy urls that end on the domain of the project as OP requested. Currently I cannot preview my FE client against the production auth service or as such production backend.

Hi @Levino , Netlify site subdomains are unique, so if you have a site with my-site.netlify.com then ONLY your sites branch deploys and deploy previews will include my-site.netlify.com as part of the URL. Others can’t name their site the same as yours so they can’t use your sites deploy previews.

So this is the netlify url of my companies homepage: https://hardfork-hp-gatsby.netlify.com and with another account I just created this “attackers page”: https://pwnd-hardfork-hp-gatsby.netlify.com/. If I now open a PR for the attackers page I get https://deploy-preview-2–pwnd-hardfork-hp-gatsby.netlify.com/ So if I would allow https://deploy-preview*hardfork-hp-gatsby.netlify.com/callback for the auth0 callback urls then the attacker can fish my users token. I might be safe if I only allow https://deploy-preview-[uptofournumbers]-hardfork-hp-gatsby.netlify.com/callback but I think that is not possible with auth0. Also that is a super fragile “protection” (where is all this stuff documented anyhow? who says it will not change in the future). If instead I could get deployment previews from my own domain, I would immediatly be safe with https://*.hardfork.io/callback.