From f19f1088b757c41c2c63b328f1d3faca8fe9a857 Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Mon, 28 Mar 2022 14:53:24 +0100
Subject: mod_http (and dependent modules): Make CORS opt-in by default (fixes
 #1731)

The same-origin policy enforced by browsers is a security measure that should
only be turned off when it is safe to do so. It is safe to do so in Prosody's
default modules, but people may load third-party modules that are unsafe.

Therefore we have flipped the default, so that modules must explicitly opt in
to having CORS headers added on their requests.
---
 plugins/mod_bosh.lua | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'plugins/mod_bosh.lua')

diff --git a/plugins/mod_bosh.lua b/plugins/mod_bosh.lua
index 9f08156c..11bfb51d 100644
--- a/plugins/mod_bosh.lua
+++ b/plugins/mod_bosh.lua
@@ -547,6 +547,9 @@ function module.add_host(module)
 	module:depends("http");
 	module:provides("http", {
 		default_path = "/http-bind";
+		cors = {
+			enabled = true;
+		};
 		route = {
 			["GET"] = GET_response;
 			["GET /"] = GET_response;
-- 
cgit v1.2.3