aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Wild <mwild1@gmail.com>2022-03-28 14:53:24 +0100
committerMatthew Wild <mwild1@gmail.com>2022-03-28 14:53:24 +0100
commitf19f1088b757c41c2c63b328f1d3faca8fe9a857 (patch)
tree876ee44e570eac125bc77b5ed95c9c2f7ef65df5
parent331ede129e1b1787d611b87f1b20dc43eeea92a2 (diff)
downloadprosody-f19f1088b757c41c2c63b328f1d3faca8fe9a857.tar.gz
prosody-f19f1088b757c41c2c63b328f1d3faca8fe9a857.zip
mod_http (and dependent modules): Make CORS opt-in by default (fixes #1731)
The same-origin policy enforced by browsers is a security measure that should only be turned off when it is safe to do so. It is safe to do so in Prosody's default modules, but people may load third-party modules that are unsafe. Therefore we have flipped the default, so that modules must explicitly opt in to having CORS headers added on their requests.
-rw-r--r--plugins/mod_bosh.lua3
-rw-r--r--plugins/mod_http.lua2
-rw-r--r--plugins/mod_http_file_share.lua1
-rw-r--r--plugins/mod_websocket.lua3
4 files changed, 8 insertions, 1 deletions
diff --git a/plugins/mod_bosh.lua b/plugins/mod_bosh.lua
index 9f08156c..11bfb51d 100644
--- a/plugins/mod_bosh.lua
+++ b/plugins/mod_bosh.lua
@@ -547,6 +547,9 @@ function module.add_host(module)
module:depends("http");
module:provides("http", {
default_path = "/http-bind";
+ cors = {
+ enabled = true;
+ };
route = {
["GET"] = GET_response;
["GET /"] = GET_response;
diff --git a/plugins/mod_http.lua b/plugins/mod_http.lua
index ffe6963c..b26adb1c 100644
--- a/plugins/mod_http.lua
+++ b/plugins/mod_http.lua
@@ -163,7 +163,7 @@ function module.add_host(module)
local cors = cors_overrides[app_name] or event.item.cors;
if cors then
- if cors.enabled ~= false then
+ if cors.enabled == true then
if cors.credentials ~= nil then
app_credentials = cors.credentials;
end
diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua
index 8e433471..b6200628 100644
--- a/plugins/mod_http_file_share.lua
+++ b/plugins/mod_http_file_share.lua
@@ -578,6 +578,7 @@ if not external_base_url then
module:provides("http", {
streaming_uploads = true;
cors = {
+ enabled = true;
credentials = true;
headers = {
Authorization = true;
diff --git a/plugins/mod_websocket.lua b/plugins/mod_websocket.lua
index c4f172fc..bddcbb79 100644
--- a/plugins/mod_websocket.lua
+++ b/plugins/mod_websocket.lua
@@ -355,6 +355,9 @@ function module.add_host(module)
module:provides("http", {
name = "websocket";
default_path = "xmpp-websocket";
+ cors = {
+ enabled = true;
+ };
route = {
["GET"] = handle_request;
["GET /"] = handle_request;