diff options
| author | Matthew Wild <mwild1@gmail.com> | 2022-03-28 14:53:24 +0100 |
|---|---|---|
| committer | Matthew Wild <mwild1@gmail.com> | 2022-03-28 14:53:24 +0100 |
| commit | f19f1088b757c41c2c63b328f1d3faca8fe9a857 (patch) | |
| tree | 876ee44e570eac125bc77b5ed95c9c2f7ef65df5 | |
| parent | 331ede129e1b1787d611b87f1b20dc43eeea92a2 (diff) | |
| download | prosody-f19f1088b757c41c2c63b328f1d3faca8fe9a857.tar.gz prosody-f19f1088b757c41c2c63b328f1d3faca8fe9a857.zip | |
mod_http (and dependent modules): Make CORS opt-in by default (fixes #1731)
The same-origin policy enforced by browsers is a security measure that should
only be turned off when it is safe to do so. It is safe to do so in Prosody's
default modules, but people may load third-party modules that are unsafe.
Therefore we have flipped the default, so that modules must explicitly opt in
to having CORS headers added on their requests.
| -rw-r--r-- | plugins/mod_bosh.lua | 3 | ||||
| -rw-r--r-- | plugins/mod_http.lua | 2 | ||||
| -rw-r--r-- | plugins/mod_http_file_share.lua | 1 | ||||
| -rw-r--r-- | plugins/mod_websocket.lua | 3 |
4 files changed, 8 insertions, 1 deletions
diff --git a/plugins/mod_bosh.lua b/plugins/mod_bosh.lua index 9f08156c..11bfb51d 100644 --- a/plugins/mod_bosh.lua +++ b/plugins/mod_bosh.lua @@ -547,6 +547,9 @@ function module.add_host(module) module:depends("http"); module:provides("http", { default_path = "/http-bind"; + cors = { + enabled = true; + }; route = { ["GET"] = GET_response; ["GET /"] = GET_response; diff --git a/plugins/mod_http.lua b/plugins/mod_http.lua index ffe6963c..b26adb1c 100644 --- a/plugins/mod_http.lua +++ b/plugins/mod_http.lua @@ -163,7 +163,7 @@ function module.add_host(module) local cors = cors_overrides[app_name] or event.item.cors; if cors then - if cors.enabled ~= false then + if cors.enabled == true then if cors.credentials ~= nil then app_credentials = cors.credentials; end diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua index 8e433471..b6200628 100644 --- a/plugins/mod_http_file_share.lua +++ b/plugins/mod_http_file_share.lua @@ -578,6 +578,7 @@ if not external_base_url then module:provides("http", { streaming_uploads = true; cors = { + enabled = true; credentials = true; headers = { Authorization = true; diff --git a/plugins/mod_websocket.lua b/plugins/mod_websocket.lua index c4f172fc..bddcbb79 100644 --- a/plugins/mod_websocket.lua +++ b/plugins/mod_websocket.lua @@ -355,6 +355,9 @@ function module.add_host(module) module:provides("http", { name = "websocket"; default_path = "xmpp-websocket"; + cors = { + enabled = true; + }; route = { ["GET"] = handle_request; ["GET /"] = handle_request; |