aboutsummaryrefslogtreecommitdiffstats
path: root/plugins/mod_bosh.lua
diff options
context:
space:
mode:
authorMatthew Wild <mwild1@gmail.com>2010-01-21 15:07:52 +0000
committerMatthew Wild <mwild1@gmail.com>2010-01-21 15:07:52 +0000
commita308952de6843c3dd7773005c03051efb0bc7a64 (patch)
treeacf79b5397310b56623bb72c8ba97e5098bf4762 /plugins/mod_bosh.lua
parent08eb2962487da4fad181f7d3eaac51490be253c5 (diff)
downloadprosody-a308952de6843c3dd7773005c03051efb0bc7a64.tar.gz
prosody-a308952de6843c3dd7773005c03051efb0bc7a64.zip
mod_bosh: Support for cross-domain access control using CORS
Diffstat (limited to 'plugins/mod_bosh.lua')
-rw-r--r--plugins/mod_bosh.lua35
1 files changed, 34 insertions, 1 deletions
diff --git a/plugins/mod_bosh.lua b/plugins/mod_bosh.lua
index 76009bb4..21bfbebf 100644
--- a/plugins/mod_bosh.lua
+++ b/plugins/mod_bosh.lua
@@ -34,6 +34,23 @@ local BOSH_DEFAULT_MAXPAUSE = tonumber(module:get_option("bosh_max_pause")) or 3
local default_headers = { ["Content-Type"] = "text/xml; charset=utf-8" };
local session_close_reply = { headers = default_headers, body = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate" }), attr = {} };
+local http_options, http_denied_options = { headers = {} }, { headers = {} };
+local cross_domain = module:get_option("cross_domain_bosh");
+if cross_domain ~= false then
+ http_options.headers["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS";
+ http_options.headers["Access-Control-Allow-Headers"] = "Content-Type";
+ http_options.headers["Access-Control-Max-Age"] = "86400";
+
+ if cross_domain == true then
+ http_options.headers["Access-Control-Allow-Origin"] = "*";
+ elseif type(cross_domain) == "table" then
+ cross_domain = table.concat(cross_domain, ", ");
+ end
+ if type(cross_domain) == "string" then
+ http_options.headers["Access-Control-Allow-Origin"] = cross_domain;
+ end
+end
+
local t_insert, t_remove, t_concat = table.insert, table.remove, table.concat;
local os_time = os.time;
@@ -59,9 +76,25 @@ function on_destroy_request(request)
end
end
+local function send_options_headers(request)
+ if cross_domain == nil then
+ local host = request.headers.host and request.headers.host:match("^[^:]+");
+ if hosts[host] then
+ http_options.headers["Access-Control-Allow-Origin"] = "http://"..host;
+ else
+ return http_denied_options; -- We don't want to reveal the hosts we serve
+ end
+ end
+ return http_options;
+end
+
function handle_request(method, body, request)
if (not body) or request.method ~= "POST" then
- return "<html><body>You really don't look like a BOSH client to me... what do you want?</body></html>";
+ if request.method == "OPTIONS" then
+ return send_options_headers(request);
+ else
+ return "<html><body>You really don't look like a BOSH client to me... what do you want?</body></html>";
+ end
end
if not method then
log("debug", "Request %s suffered error %s", tostring(request.id), body);