From f19f1088b757c41c2c63b328f1d3faca8fe9a857 Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Mon, 28 Mar 2022 14:53:24 +0100
Subject: mod_http (and dependent modules): Make CORS opt-in by default (fixes
 #1731)

The same-origin policy enforced by browsers is a security measure that should
only be turned off when it is safe to do so. It is safe to do so in Prosody's
default modules, but people may load third-party modules that are unsafe.

Therefore we have flipped the default, so that modules must explicitly opt in
to having CORS headers added on their requests.
---
 plugins/mod_http_file_share.lua | 1 +
 1 file changed, 1 insertion(+)

(limited to 'plugins/mod_http_file_share.lua')

diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua
index 8e433471..b6200628 100644
--- a/plugins/mod_http_file_share.lua
+++ b/plugins/mod_http_file_share.lua
@@ -578,6 +578,7 @@ if not external_base_url then
 module:provides("http", {
 		streaming_uploads = true;
 		cors = {
+			enabled = true;
 			credentials = true;
 			headers = {
 				Authorization = true;
-- 
cgit v1.2.3