S3: Add MOTO_DISABLE_GLOBAL_CORS for disabling wildcard CORS (#8409)

docs/docs/configuration/environment_variables.rst

@@ -38,4 +38,6 @@ The following is a non-exhaustive list of the environment variables that can be
 +-------------------------------+----------+-----------+-------------------------------------------------------------------------------------------------+
 | MOTO_PRETTIFY_RESPONSES       | bool     | False     | Prettify responses from Moto, making it easier to read and debug.                               |
 +-------------------------------+----------+-----------+-------------------------------------------------------------------------------------------------+
+| MOTO_DISABLE_GLOBAL_CORS      | bool     | False     | Disable configuring global wildcard CORS.                                                       |
++-------------------------------+----------+-----------+-------------------------------------------------------------------------------------------------+
 

docs/docs/services/s3.rst

@@ -116,6 +116,11 @@ s3
 - [X] put_bucket_acl
 - [ ] put_bucket_analytics_configuration
 - [X] put_bucket_cors
+
+        Note that the moto server configures global wildcard CORS settings by default. To avoid this from overriding empty bucket CORS, disable global CORS with an environment variable:
+
+        MOTO_DISABLE_GLOBAL_CORS=true
+
 - [X] put_bucket_encryption
 - [ ] put_bucket_intelligent_tiering_configuration
 - [ ] put_bucket_inventory_configuration

moto/moto_server/werkzeug_app.py

@@ -20,6 +20,7 @@
 from moto.core import DEFAULT_ACCOUNT_ID
 from moto.core.base_backend import BackendDict
 from moto.core.utils import convert_to_flask_response
+from moto.settings import DISABLE_GLOBAL_CORS
 
 from .utilities import AWSTestHelper, RegexConverter
 
@@ -274,7 +275,9 @@ def create_backend_app(service: backends.SERVICE_NAMES) -> Flask:
     backend_app = Flask("moto", template_folder=template_dir)
     backend_app.debug = True
     backend_app.service = service  # type: ignore[attr-defined]
-    CORS(backend_app)
+
+    if not DISABLE_GLOBAL_CORS:
+        CORS(backend_app)
 
     # Reset view functions to reset the app
     backend_app.view_functions = {}

moto/settings.py

@@ -39,6 +39,8 @@ def is_test_proxy_mode() -> bool:
 
 PRETTIFY_RESPONSES = bool(os.environ.get("MOTO_PRETTIFY_RESPONSES", False))
 
+DISABLE_GLOBAL_CORS = bool(os.environ.get("MOTO_DISABLE_GLOBAL_CORS", False))
+
 # Fully skip test that require docker
 SKIP_REQUIRES_DOCKER = bool(os.environ.get("TESTS_SKIP_REQUIRES_DOCKER", False))
 

tests/test_s3/test_server.py

@@ -256,6 +256,25 @@ def test_s3_server_post_cors():
     assert res.headers["Access-Control-Allow-Headers"] == "origin, x-requested-with"
 
 
+def test_s3_no_default_cors():
+    """Test default CORS headers are not set if MOTO_DISABLE_GLOBAL_CORS is true"""
+    for disable_cors in [True, False]:
+        with patch("moto.moto_server.werkzeug_app.DISABLE_GLOBAL_CORS", disable_cors):
+            test_client = authenticated_client()
+
+            # Create a bucket and a file
+            test_client.put("/", "http://nodefaultcors.localhost:5000/")
+            test_client.put("/test", "http://nodefaultcors.localhost:5000/")
+            test_client.put("/", "http://tester.localhost:5000/")
+
+            resp = test_client.get(
+                "/test",
+                "http://nodefaultcors.localhost:5000/",
+                headers={"Origin": "example.com"},
+            )
+            assert ("Access-Control-Allow-Origin" not in resp.headers) == disable_cors
+
+
 def test_s3_server_post_cors_exposed_header():
     """Test overriding default CORS headers with custom bucket rules"""
     # github.com/getmoto/moto/issues/4220