From 331ede129e1b1787d611b87f1b20dc43eeea92a2 Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Mon, 28 Mar 2022 14:40:21 +0100 Subject: mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730) This is far better than pre-0.12, because we now have a universal way to configure and enable/disable CORS on a per-module basis. --- plugins/mod_http.lua | 44 +++++++++++++++++++++++++++++++------------- 1 file changed, 31 insertions(+), 13 deletions(-) (limited to 'plugins') diff --git a/plugins/mod_http.lua b/plugins/mod_http.lua index a31418cf..ffe6963c 100644 --- a/plugins/mod_http.lua +++ b/plugins/mod_http.lua @@ -31,8 +31,10 @@ server.set_option("body_size_limit", module:get_option_number("http_max_content_ server.set_option("buffer_size_limit", module:get_option_number("http_max_buffer_size")); -- CORS settings +local cors_overrides = module:get_option("http_cors_override", {}); local opt_methods = module:get_option_set("access_control_allow_methods", { "GET", "OPTIONS" }); local opt_headers = module:get_option_set("access_control_allow_headers", { "Content-Type" }); +local opt_origins = module:get_option_set("access_control_allow_origins"); local opt_credentials = module:get_option_boolean("access_control_allow_credentials", false); local opt_max_age = module:get_option_number("access_control_max_age", 2 * 60 * 60); @@ -109,7 +111,10 @@ function moduleapi.http_url(module, app_name, default_path) return "http://disabled.invalid/"; end -local function apply_cors_headers(response, methods, headers, max_age, allow_credentials, origin) +local function apply_cors_headers(response, methods, headers, max_age, allow_credentials, allowed_origins, origin) + if allowed_origins and not allowed_origins[origin] then + return; + end response.headers.access_control_allow_methods = tostring(methods); response.headers.access_control_allow_headers = tostring(headers); response.headers.access_control_max_age = tostring(max_age) @@ -141,10 +146,14 @@ function module.add_host(module) local app_methods = opt_methods; local app_headers = opt_headers; local app_credentials = opt_credentials; + local app_origins; + if opt_origins and not (opt_origins:empty() or opt_origins:contains("*")) then + opt_origins = opt_origins._items; + end local function cors_handler(event_data) local request, response = event_data.request, event_data.response; - apply_cors_headers(response, app_methods, app_headers, opt_max_age, app_credentials, request.headers.origin); + apply_cors_headers(response, app_methods, app_headers, opt_max_age, app_credentials, app_origins, request.headers.origin); end local function options_handler(event_data) @@ -152,17 +161,26 @@ function module.add_host(module) return ""; end - if event.item.cors then - local cors = event.item.cors; - if cors.credentials ~= nil then - app_credentials = cors.credentials; - end - if cors.headers then - for header, enable in pairs(cors.headers) do - if enable and not app_headers:contains(header) then - app_headers = app_headers + set.new { header }; - elseif not enable and app_headers:contains(header) then - app_headers = app_headers - set.new { header }; + local cors = cors_overrides[app_name] or event.item.cors; + if cors then + if cors.enabled ~= false then + if cors.credentials ~= nil then + app_credentials = cors.credentials; + end + if cors.headers then + for header, enable in pairs(cors.headers) do + if enable and not app_headers:contains(header) then + app_headers = app_headers + set.new { header }; + elseif not enable and app_headers:contains(header) then + app_headers = app_headers - set.new { header }; + end + end + end + if cors.origins then + if cors.origins == "*" or cors.origins[1] == "*" then + app_origins = nil; + else + app_origins = set.new(cors.origins)._items; end end end -- cgit v1.2.3 From f19f1088b757c41c2c63b328f1d3faca8fe9a857 Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Mon, 28 Mar 2022 14:53:24 +0100 Subject: mod_http (and dependent modules): Make CORS opt-in by default (fixes #1731) The same-origin policy enforced by browsers is a security measure that should only be turned off when it is safe to do so. It is safe to do so in Prosody's default modules, but people may load third-party modules that are unsafe. Therefore we have flipped the default, so that modules must explicitly opt in to having CORS headers added on their requests. --- plugins/mod_bosh.lua | 3 +++ plugins/mod_http.lua | 2 +- plugins/mod_http_file_share.lua | 1 + plugins/mod_websocket.lua | 3 +++ 4 files changed, 8 insertions(+), 1 deletion(-) (limited to 'plugins') diff --git a/plugins/mod_bosh.lua b/plugins/mod_bosh.lua index 9f08156c..11bfb51d 100644 --- a/plugins/mod_bosh.lua +++ b/plugins/mod_bosh.lua @@ -547,6 +547,9 @@ function module.add_host(module) module:depends("http"); module:provides("http", { default_path = "/http-bind"; + cors = { + enabled = true; + }; route = { ["GET"] = GET_response; ["GET /"] = GET_response; diff --git a/plugins/mod_http.lua b/plugins/mod_http.lua index ffe6963c..b26adb1c 100644 --- a/plugins/mod_http.lua +++ b/plugins/mod_http.lua @@ -163,7 +163,7 @@ function module.add_host(module) local cors = cors_overrides[app_name] or event.item.cors; if cors then - if cors.enabled ~= false then + if cors.enabled == true then if cors.credentials ~= nil then app_credentials = cors.credentials; end diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua index 8e433471..b6200628 100644 --- a/plugins/mod_http_file_share.lua +++ b/plugins/mod_http_file_share.lua @@ -578,6 +578,7 @@ if not external_base_url then module:provides("http", { streaming_uploads = true; cors = { + enabled = true; credentials = true; headers = { Authorization = true; diff --git a/plugins/mod_websocket.lua b/plugins/mod_websocket.lua index c4f172fc..bddcbb79 100644 --- a/plugins/mod_websocket.lua +++ b/plugins/mod_websocket.lua @@ -355,6 +355,9 @@ function module.add_host(module) module:provides("http", { name = "websocket"; default_path = "xmpp-websocket"; + cors = { + enabled = true; + }; route = { ["GET"] = handle_request; ["GET /"] = handle_request; -- cgit v1.2.3