add config options for testing the Origin header in cors requests

- allow_all_cors_origins - whether or not to allow all origins
- allowed_cors_origins - a list of allowed origins (used if allow_all_cors_origins is false)

winixd/core/config.cpp

@@ -350,6 +350,9 @@ void Config::AssignValues()
 	add_header_cache_no_store_in_htmx_request = Bool(L"add_header_cache_no_store_in_htmx_request", true);
 
 	request_queue_job_limit = Size(L"request_queue_job_limit", 1024);
+
+	allow_all_cors_origins = Bool(L"allow_all_cors_origins", false);
+	ListText(L"allowed_cors_origins", allowed_cors_origins);
 }
 
 

winixd/core/config.h

@@ -976,7 +976,17 @@ public:
 	// if the limit is reached then the http status 503 Service Unavailable is returned
 	size_t request_queue_job_limit;
 
+	// whether or not all origins are allowed in cors requests
+	// default: false;
+	// if false then we check allowed_cors_origins table to check whether the origin is available (origin is sent in Origin header),
+	// if allow_all_cors_origins is false and allowed_cors_origins is empty then by default we do not allow cors requests
+	// (but you can still allow it in your function/controller by overriding IsCorsOriginAvailable(...) method)
+	bool allow_all_cors_origins;
 
+	// list of allowed origins in cors requests
+	// used only if allow_all_cors_origins is false
+	// default: empty
+	std::vector<std::wstring> allowed_cors_origins;
 
 
 	Config();

winixd/core/misc.cpp

@@ -1628,8 +1628,23 @@ void slice_by(const std::wstring & str, wchar_t c, std::vector<std::wstring> & o
 }
 
 
+bool is_in_list(const std::wstring & item, const std::vector<std::wstring> & list)
+{
+	return is_in_list_generic(item, list);
+}
 
 
+bool is_in_list(const std::wstring & item, const std::list<std::wstring> & list)
+{
+	return is_in_list_generic(item, list);
+}
+
+
+bool is_in_list(const std::wstring & item, const std::set<std::wstring> & list)
+{
+	return is_in_list_generic(item, list);
+}
+
 
 
 } // namespace Winix

winixd/core/misc.h

@@ -36,6 +36,8 @@
 #define headerfile_winix_core_misc
 
 #include <string>
+#include <vector>
+#include <set>
 #include <sstream>
 #include <ctime>
 #include <cstdio>
@@ -1032,6 +1034,28 @@ void timespec_to_stream_with_unit(timespec & val, pt::Stream & stream);
 void slice_by(const std::wstring & str, wchar_t c, std::vector<std::wstring> & out);
 
 
+bool is_in_list(const std::wstring & item, const std::vector<std::wstring> & list);
+bool is_in_list(const std::wstring & item, const std::list<std::wstring> & list);
+bool is_in_list(const std::wstring & item, const std::set<std::wstring> & list);
+
+
+
+template<typename ContainerType>
+bool is_in_list_generic(const std::wstring & item, const ContainerType & list)
+{
+	for(const std::wstring & str : list)
+	{
+		if( str == item )
+		{
+			return true;
+		}
+	}
+
+	return false;
+}
+
+
+
 } // namespace Winix
 
 

winixd/core/request.cpp

@@ -1536,10 +1536,25 @@ void Request::PrepareSessionCookie()
 }
 
 
+void Request::CheckOriginHeader()
+{
+	pt::Space * origin = headers_in.get_space_nc(L"Origin");
+
+	if( origin && origin->is_wstr() && !out_headers.has_key(Header::access_control_allow_origin) )
+	{
+		if( function && function->IsCorsOriginAvailable(*origin->get_wstr()) )
+		{
+			function->AddAccessControlAllowOriginHeader(*origin->get_wstr());
+		}
+	}
+}
+
+
 
 void Request::PrepareHeaders(bool compressing, int compress_encoding, size_t output_size)
 {
 	PrepareSessionCookie();
+	CheckOriginHeader();
 
 	if( send_as_attachment )
 	{

winixd/core/request.h

@@ -595,6 +595,7 @@ private:
 	int SelectDeflateVersion();
 	void SelectCompression(size_t source_len, bool & compression_allowed, int & compression_encoding);
 	void PrepareSessionCookie();
+	void CheckOriginHeader();
 	void PrepareHeaders(bool compressing, int compress_encoding, size_t output_size);
 	void ModifyStatusForRedirect();
 	void PrepareSendFileHeaderForStaticMountpoint();