Enable CORS configuration to get badges functionality

Probably since SONAR-21780 Add Cross-Origin related HTTP security headers · SonarSource/sonarqube@4f2cb04 · GitHub , our badges integration in our GitLab instance fails with CORS error like :

“Ressource at URL « https://sonar.example.com/api/project_badges/measure?project=myproject&metric=alert_status&token=0123456789abcdef » was blocked due to a Cross-Origin-Resource-Policy header”

Is there a way to allow specific host to get badges functionnality back ?

  • SonarQube Enterprise Edition v10.5.1 (90531)
  • SonarQube deployed with Helm


Hey there.

We’ll fix this issue in SonarQube v10.6, currently scheduled for mid/late June.

SONAR-22149

1 Like

I went to issue SONAR-22149 and saw that it solves exactly this problem, but it said it would go into version 10.6 and it didn’t, now it’s saying it will go into version 10.7 and closed the issue, but I haven’t seen the commit on github yet…

Check the Link: Commit search results · GitHub

I was waiting the fix too for 10.6, but sad to see it apparently got scoped out from it.

Appears it is not fixed in 10.7 yet:

[![Quality Gate Status](https://next.sonarqube.com/sonarqube/api/project_badges/measure?project=sonarqube&metric=alert_status&token=d95182127dd5583f57578d769b511660601a8547)](https://next.sonarqube.com/sonarqube/dashboard?id=sonarqube)

Results currently to broken badge:
Quality Gate Status

Curiously, the badge works with exact same markdown in SonarQube Github README: sonarqube/README.md at master · SonarSource/sonarqube · GitHub. Maybe Github has some additional workarounds built on top of it? There the badge image originates from githubusercontent.com, not from next.sonarqube.com.

Hey all.

Yes, unfortunately the ticket was bumped to our next release (v10.7), but we intend to handle it early on in the development cycle so that we don’t risk another delay. Thanks for your patience.

I am serving the sonarqube in kubernetes, I had this issue and solved it with nginx. Basically I am routing the network via a nginx deployment to the application, I think this settings should be configurable.
Here is my nginx configuration file

server {
    listen 443;
location / {
        proxy_pass https://1.1.1.1:1111; # use can use domain or ip adress here
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header Cross-Origin-Resource-Policy same-origin;
    } 
} 

I hope it helps for now .