aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Wild <mwild1@gmail.com>2022-03-28 14:53:46 +0100
committerMatthew Wild <mwild1@gmail.com>2022-03-28 14:53:46 +0100
commitea2cd6d6768281229b220fa07b246c5b516ffeae (patch)
tree4a76734b2c09eb97fc0c28851da2ce8a48d316c9
parent6a923e65c9a4f1129a448e7c41335d20e375be34 (diff)
parentf19f1088b757c41c2c63b328f1d3faca8fe9a857 (diff)
downloadprosody-ea2cd6d6768281229b220fa07b246c5b516ffeae.tar.gz
prosody-ea2cd6d6768281229b220fa07b246c5b516ffeae.zip
Merge 0.12->trunk
-rw-r--r--plugins/mod_bosh.lua3
-rw-r--r--plugins/mod_http.lua44
-rw-r--r--plugins/mod_http_file_share.lua1
-rw-r--r--plugins/mod_websocket.lua3
4 files changed, 38 insertions, 13 deletions
diff --git a/plugins/mod_bosh.lua b/plugins/mod_bosh.lua
index 9f08156c..11bfb51d 100644
--- a/plugins/mod_bosh.lua
+++ b/plugins/mod_bosh.lua
@@ -547,6 +547,9 @@ function module.add_host(module)
module:depends("http");
module:provides("http", {
default_path = "/http-bind";
+ cors = {
+ enabled = true;
+ };
route = {
["GET"] = GET_response;
["GET /"] = GET_response;
diff --git a/plugins/mod_http.lua b/plugins/mod_http.lua
index a31418cf..b26adb1c 100644
--- a/plugins/mod_http.lua
+++ b/plugins/mod_http.lua
@@ -31,8 +31,10 @@ server.set_option("body_size_limit", module:get_option_number("http_max_content_
server.set_option("buffer_size_limit", module:get_option_number("http_max_buffer_size"));
-- CORS settings
+local cors_overrides = module:get_option("http_cors_override", {});
local opt_methods = module:get_option_set("access_control_allow_methods", { "GET", "OPTIONS" });
local opt_headers = module:get_option_set("access_control_allow_headers", { "Content-Type" });
+local opt_origins = module:get_option_set("access_control_allow_origins");
local opt_credentials = module:get_option_boolean("access_control_allow_credentials", false);
local opt_max_age = module:get_option_number("access_control_max_age", 2 * 60 * 60);
@@ -109,7 +111,10 @@ function moduleapi.http_url(module, app_name, default_path)
return "http://disabled.invalid/";
end
-local function apply_cors_headers(response, methods, headers, max_age, allow_credentials, origin)
+local function apply_cors_headers(response, methods, headers, max_age, allow_credentials, allowed_origins, origin)
+ if allowed_origins and not allowed_origins[origin] then
+ return;
+ end
response.headers.access_control_allow_methods = tostring(methods);
response.headers.access_control_allow_headers = tostring(headers);
response.headers.access_control_max_age = tostring(max_age)
@@ -141,10 +146,14 @@ function module.add_host(module)
local app_methods = opt_methods;
local app_headers = opt_headers;
local app_credentials = opt_credentials;
+ local app_origins;
+ if opt_origins and not (opt_origins:empty() or opt_origins:contains("*")) then
+ opt_origins = opt_origins._items;
+ end
local function cors_handler(event_data)
local request, response = event_data.request, event_data.response;
- apply_cors_headers(response, app_methods, app_headers, opt_max_age, app_credentials, request.headers.origin);
+ apply_cors_headers(response, app_methods, app_headers, opt_max_age, app_credentials, app_origins, request.headers.origin);
end
local function options_handler(event_data)
@@ -152,17 +161,26 @@ function module.add_host(module)
return "";
end
- if event.item.cors then
- local cors = event.item.cors;
- if cors.credentials ~= nil then
- app_credentials = cors.credentials;
- end
- if cors.headers then
- for header, enable in pairs(cors.headers) do
- if enable and not app_headers:contains(header) then
- app_headers = app_headers + set.new { header };
- elseif not enable and app_headers:contains(header) then
- app_headers = app_headers - set.new { header };
+ local cors = cors_overrides[app_name] or event.item.cors;
+ if cors then
+ if cors.enabled == true then
+ if cors.credentials ~= nil then
+ app_credentials = cors.credentials;
+ end
+ if cors.headers then
+ for header, enable in pairs(cors.headers) do
+ if enable and not app_headers:contains(header) then
+ app_headers = app_headers + set.new { header };
+ elseif not enable and app_headers:contains(header) then
+ app_headers = app_headers - set.new { header };
+ end
+ end
+ end
+ if cors.origins then
+ if cors.origins == "*" or cors.origins[1] == "*" then
+ app_origins = nil;
+ else
+ app_origins = set.new(cors.origins)._items;
end
end
end
diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua
index 8e433471..b6200628 100644
--- a/plugins/mod_http_file_share.lua
+++ b/plugins/mod_http_file_share.lua
@@ -578,6 +578,7 @@ if not external_base_url then
module:provides("http", {
streaming_uploads = true;
cors = {
+ enabled = true;
credentials = true;
headers = {
Authorization = true;
diff --git a/plugins/mod_websocket.lua b/plugins/mod_websocket.lua
index c4f172fc..bddcbb79 100644
--- a/plugins/mod_websocket.lua
+++ b/plugins/mod_websocket.lua
@@ -355,6 +355,9 @@ function module.add_host(module)
module:provides("http", {
name = "websocket";
default_path = "xmpp-websocket";
+ cors = {
+ enabled = true;
+ };
route = {
["GET"] = handle_request;
["GET /"] = handle_request;