aboutsummaryrefslogtreecommitdiffstats
path: root/plugins
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2018-10-04 12:22:12 +0200
committerKim Alvefur <zash@zash.se>2018-10-04 12:22:12 +0200
commit87639540e4ea43c57eb3d31b78e0b5acaf68f97a (patch)
tree7e8f0a1e4bf42cf3cd4fe30d646d20450a3fb5f1 /plugins
parent16d8b60a7b68d373c24e155ebb301cf57c2b680a (diff)
downloadprosody-87639540e4ea43c57eb3d31b78e0b5acaf68f97a.tar.gz
prosody-87639540e4ea43c57eb3d31b78e0b5acaf68f97a.zip
mod_http: Solve CORS problems once and for all
This blindly allows any cross-site requests. Future work should add an API to allow each HTTP app some influence over this for each HTTP path
Diffstat (limited to 'plugins')
-rw-r--r--plugins/mod_http.lua19
1 files changed, 19 insertions, 0 deletions
diff --git a/plugins/mod_http.lua b/plugins/mod_http.lua
index a1d409bd..07d1094b 100644
--- a/plugins/mod_http.lua
+++ b/plugins/mod_http.lua
@@ -22,6 +22,11 @@ server.set_default_host(module:get_option_string("http_default_host"));
server.set_option("body_size_limit", module:get_option_number("http_max_content_size"));
server.set_option("buffer_size_limit", module:get_option_number("http_max_buffer_size"));
+-- CORS settigs
+local opt_methods = module:get_option_set("access_control_allow_methods", { "GET", "POST", "PUT", "OPTIONS" });
+local opt_headers = module:get_option_set("access_control_allow_headers", { "Content-Type" });
+local opt_max_age = module:get_option_number("access_control_max_age", 2 * 60 * 60);
+
local function get_http_event(host, app_path, key)
local method, path = key:match("^(%S+)%s+(.+)$");
if not method then -- No path specified, default to "" (base path)
@@ -83,6 +88,13 @@ function moduleapi.http_url(module, app_name, default_path)
return "http://disabled.invalid/";
end
+local function apply_cors_headers(response, methods, headers, max_age, origin)
+ response.headers.access_control_allow_methods = tostring(methods);
+ response.headers.access_control_allow_headers = tostring(headers);
+ response.headers.access_control_max_age = tostring(max_age)
+ response.headers.access_control_allow_origin = origin or "*";
+end
+
function module.add_host(module)
local host = module.host;
if host ~= "*" then
@@ -101,6 +113,12 @@ function module.add_host(module)
end
apps[app_name] = apps[app_name] or {};
local app_handlers = apps[app_name];
+
+ local function cors_handler(event_data)
+ local request, response = event_data.request, event_data.response;
+ apply_cors_headers(response, opt_methods, opt_headers, opt_max_age, request.headers.origin);
+ end
+
for key, handler in pairs(event.item.route or {}) do
local event_name = get_http_event(host, app_path, key);
if event_name then
@@ -121,6 +139,7 @@ function module.add_host(module)
if not app_handlers[event_name] then
app_handlers[event_name] = handler;
module:hook_object_event(server, event_name, handler);
+ module:hook_object_event(server, event_name, cors_handler, 1);
else
module:log("warn", "App %s added handler twice for '%s', ignoring", app_name, event_name);
end