mod_http (and dependent modules): Make CORS opt-in by default (fixes #1731)

The same-origin policy enforced by browsers is a security measure that should only be turned off when it is safe to do so. It is safe to do so in Prosody's default modules, but people may load third-party modules that are unsafe. Therefore we have flipped the default, so that modules must explicitly opt in to having CORS headers added on their requests.
author: Matthew Wild <mwild1@gmail.com> 2022-03-28 14:53:24 +0100
committer: Matthew Wild <mwild1@gmail.com> 2022-03-28 14:53:24 +0100
commit: f19f1088b757c41c2c63b328f1d3faca8fe9a857 (patch)
tree: 876ee44e570eac125bc77b5ed95c9c2f7ef65df5 /plugins/mod_http.lua
parent: 331ede129e1b1787d611b87f1b20dc43eeea92a2 (diff)
download: prosody-f19f1088b757c41c2c63b328f1d3faca8fe9a857.tar.gz
prosody-f19f1088b757c41c2c63b328f1d3faca8fe9a857.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/plugins/mod_http.lua b/plugins/mod_http.lua
index ffe6963c..b26adb1c 100644
--- a/plugins/mod_http.lua
+++ b/plugins/mod_http.lua
@@ -163,7 +163,7 @@ function module.add_host(module)
 
 		local cors = cors_overrides[app_name] or event.item.cors;
 		if cors then
-			if cors.enabled ~= false then
+			if cors.enabled == true then
 				if cors.credentials ~= nil then
 					app_credentials = cors.credentials;
 				end
author	Matthew Wild <mwild1@gmail.com>	2022-03-28 14:53:24 +0100
committer	Matthew Wild <mwild1@gmail.com>	2022-03-28 14:53:24 +0100
commit	f19f1088b757c41c2c63b328f1d3faca8fe9a857 (patch)
tree	876ee44e570eac125bc77b5ed95c9c2f7ef65df5 /plugins/mod_http.lua
parent	331ede129e1b1787d611b87f1b20dc43eeea92a2 (diff)
download	prosody-f19f1088b757c41c2c63b328f1d3faca8fe9a857.tar.gz prosody-f19f1088b757c41c2c63b328f1d3faca8fe9a857.zip