From f19f1088b757c41c2c63b328f1d3faca8fe9a857 Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Mon, 28 Mar 2022 14:53:24 +0100 Subject: mod_http (and dependent modules): Make CORS opt-in by default (fixes #1731) The same-origin policy enforced by browsers is a security measure that should only be turned off when it is safe to do so. It is safe to do so in Prosody's default modules, but people may load third-party modules that are unsafe. Therefore we have flipped the default, so that modules must explicitly opt in to having CORS headers added on their requests. --- plugins/mod_http.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'plugins/mod_http.lua') diff --git a/plugins/mod_http.lua b/plugins/mod_http.lua index ffe6963c..b26adb1c 100644 --- a/plugins/mod_http.lua +++ b/plugins/mod_http.lua @@ -163,7 +163,7 @@ function module.add_host(module) local cors = cors_overrides[app_name] or event.item.cors; if cors then - if cors.enabled ~= false then + if cors.enabled == true then if cors.credentials ~= nil then app_credentials = cors.credentials; end -- cgit v1.2.3