diff options
| author | Kim Alvefur <zash@zash.se> | 2019-01-17 20:42:38 +0100 |
|---|---|---|
| committer | Kim Alvefur <zash@zash.se> | 2019-01-17 20:42:38 +0100 |
| commit | 3434e4560f79c834411e0c1d117a96e8b94ff4db (patch) | |
| tree | a25f25ee24241ab1131962045815d558f62fdf4c /plugins/mod_http.lua | |
| parent | 19d344e092421bd84cd52de74bcd6b7b1e9a0a13 (diff) | |
| download | prosody-3434e4560f79c834411e0c1d117a96e8b94ff4db.tar.gz prosody-3434e4560f79c834411e0c1d117a96e8b94ff4db.zip | |
mod_http: Determine CORS methods to whitelist from actual methods used
Diffstat (limited to 'plugins/mod_http.lua')
| -rw-r--r-- | plugins/mod_http.lua | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/plugins/mod_http.lua b/plugins/mod_http.lua index 01f20f76..829c2d02 100644 --- a/plugins/mod_http.lua +++ b/plugins/mod_http.lua @@ -14,6 +14,7 @@ local moduleapi = require "core.moduleapi"; local url_parse = require "socket.url".parse; local url_build = require "socket.url".build; local normalize_path = require "util.http".normalize_path; +local set = require "util.set"; local server = require "net.http.server"; @@ -23,7 +24,7 @@ server.set_option("body_size_limit", module:get_option_number("http_max_content_ server.set_option("buffer_size_limit", module:get_option_number("http_max_buffer_size")); -- CORS settigs -local opt_methods = module:get_option_set("access_control_allow_methods", { "GET", "POST", "PUT", "OPTIONS" }); +local opt_methods = module:get_option_set("access_control_allow_methods", { "GET", "OPTIONS" }); local opt_headers = module:get_option_set("access_control_allow_headers", { "Content-Type" }); local opt_max_age = module:get_option_number("access_control_max_age", 2 * 60 * 60); @@ -114,9 +115,11 @@ function module.add_host(module) apps[app_name] = apps[app_name] or {}; local app_handlers = apps[app_name]; + local app_methods = opt_methods; + local function cors_handler(event_data) local request, response = event_data.request, event_data.response; - apply_cors_headers(response, opt_methods, opt_headers, opt_max_age, request.headers.origin); + apply_cors_headers(response, app_methods, opt_headers, opt_max_age, request.headers.origin); end local function options_handler(event_data) @@ -127,6 +130,10 @@ function module.add_host(module) for key, handler in pairs(event.item.route or {}) do local event_name = get_http_event(host, app_path, key); if event_name then + local method = event_name:match("^%S+"); + if not app_methods:contains(method) then + app_methods = app_methods + set.new{ method }; + end local options_event_name = event_name:gsub("^%S+", "OPTIONS"); if type(handler) ~= "function" then local data = handler; |