Merge 0.12->trunk

author: Matthew Wild <mwild1@gmail.com> 2022-03-28 14:53:46 +0100
committer: Matthew Wild <mwild1@gmail.com> 2022-03-28 14:53:46 +0100
commit: ea2cd6d6768281229b220fa07b246c5b516ffeae (patch)
tree: 4a76734b2c09eb97fc0c28851da2ce8a48d316c9 /plugins
parent: 6a923e65c9a4f1129a448e7c41335d20e375be34 (diff)
parent: f19f1088b757c41c2c63b328f1d3faca8fe9a857 (diff)
download: prosody-ea2cd6d6768281229b220fa07b246c5b516ffeae.tar.gz
prosody-ea2cd6d6768281229b220fa07b246c5b516ffeae.zip
4 files changed, 38 insertions, 13 deletions
diff --git a/plugins/mod_bosh.lua b/plugins/mod_bosh.lua
index 9f08156c..11bfb51d 100644
--- a/plugins/mod_bosh.lua
+++ b/plugins/mod_bosh.lua
@@ -547,6 +547,9 @@ function module.add_host(module)
 	module:depends("http");
 	module:provides("http", {
 		default_path = "/http-bind";
+		cors = {
+			enabled = true;
+		};
 		route = {
 			["GET"] = GET_response;
 			["GET /"] = GET_response;
diff --git a/plugins/mod_http.lua b/plugins/mod_http.lua
index a31418cf..b26adb1c 100644
--- a/plugins/mod_http.lua
+++ b/plugins/mod_http.lua
@@ -31,8 +31,10 @@ server.set_option("body_size_limit", module:get_option_number("http_max_content_
 server.set_option("buffer_size_limit", module:get_option_number("http_max_buffer_size"));
 
 -- CORS settings
+local cors_overrides = module:get_option("http_cors_override", {});
 local opt_methods = module:get_option_set("access_control_allow_methods", { "GET", "OPTIONS" });
 local opt_headers = module:get_option_set("access_control_allow_headers", { "Content-Type" });
+local opt_origins = module:get_option_set("access_control_allow_origins");
 local opt_credentials = module:get_option_boolean("access_control_allow_credentials", false);
 local opt_max_age = module:get_option_number("access_control_max_age", 2 * 60 * 60);
 
@@ -109,7 +111,10 @@ function moduleapi.http_url(module, app_name, default_path)
 	return "http://disabled.invalid/";
 end
 
-local function apply_cors_headers(response, methods, headers, max_age, allow_credentials, origin)
+local function apply_cors_headers(response, methods, headers, max_age, allow_credentials, allowed_origins, origin)
+	if allowed_origins and not allowed_origins[origin] then
+		return;
+	end
 	response.headers.access_control_allow_methods = tostring(methods);
 	response.headers.access_control_allow_headers = tostring(headers);
 	response.headers.access_control_max_age = tostring(max_age)
@@ -141,10 +146,14 @@ function module.add_host(module)
 		local app_methods = opt_methods;
 		local app_headers = opt_headers;
 		local app_credentials = opt_credentials;
+		local app_origins;
+		if opt_origins and not (opt_origins:empty() or opt_origins:contains("*")) then
+			opt_origins = opt_origins._items;
+		end
 
 		local function cors_handler(event_data)
 			local request, response = event_data.request, event_data.response;
-			apply_cors_headers(response, app_methods, app_headers, opt_max_age, app_credentials, request.headers.origin);
+			apply_cors_headers(response, app_methods, app_headers, opt_max_age, app_credentials, app_origins, request.headers.origin);
 		end
 
 		local function options_handler(event_data)
@@ -152,17 +161,26 @@ function module.add_host(module)
 			return "";
 		end
 
-		if event.item.cors then
-			local cors = event.item.cors;
-			if cors.credentials ~= nil then
-				app_credentials = cors.credentials;
-			end
-			if cors.headers then
-				for header, enable in pairs(cors.headers) do
-					if enable and not app_headers:contains(header) then
-						app_headers = app_headers + set.new { header };
-					elseif not enable and app_headers:contains(header) then
-						app_headers = app_headers - set.new { header };
+		local cors = cors_overrides[app_name] or event.item.cors;
+		if cors then
+			if cors.enabled == true then
+				if cors.credentials ~= nil then
+					app_credentials = cors.credentials;
+				end
+				if cors.headers then
+					for header, enable in pairs(cors.headers) do
+						if enable and not app_headers:contains(header) then
+							app_headers = app_headers + set.new { header };
+						elseif not enable and app_headers:contains(header) then
+							app_headers = app_headers - set.new { header };
+						end
+					end
+				end
+				if cors.origins then
+					if cors.origins == "*" or cors.origins[1] == "*" then
+						app_origins = nil;
+					else
+						app_origins = set.new(cors.origins)._items;
 					end
 				end
 			end
diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua
index 8e433471..b6200628 100644
--- a/plugins/mod_http_file_share.lua
+++ b/plugins/mod_http_file_share.lua
@@ -578,6 +578,7 @@ if not external_base_url then
 module:provides("http", {
 		streaming_uploads = true;
 		cors = {
+			enabled = true;
 			credentials = true;
 			headers = {
 				Authorization = true;
diff --git a/plugins/mod_websocket.lua b/plugins/mod_websocket.lua
index c4f172fc..bddcbb79 100644
--- a/plugins/mod_websocket.lua
+++ b/plugins/mod_websocket.lua
@@ -355,6 +355,9 @@ function module.add_host(module)
 	module:provides("http", {
 		name = "websocket";
 		default_path = "xmpp-websocket";
+		cors = {
+			enabled = true;
+		};
 		route = {
 			["GET"] = handle_request;
 			["GET /"] = handle_request;
author	Matthew Wild <mwild1@gmail.com>	2022-03-28 14:53:46 +0100
committer	Matthew Wild <mwild1@gmail.com>	2022-03-28 14:53:46 +0100
commit	ea2cd6d6768281229b220fa07b246c5b516ffeae (patch)
tree	4a76734b2c09eb97fc0c28851da2ce8a48d316c9 /plugins
parent	6a923e65c9a4f1129a448e7c41335d20e375be34 (diff)
parent	f19f1088b757c41c2c63b328f1d3faca8fe9a857 (diff)
download	prosody-ea2cd6d6768281229b220fa07b246c5b516ffeae.tar.gz prosody-ea2cd6d6768281229b220fa07b246c5b516ffeae.zip