add config options for testing the Origin header in cors requests
- allow_all_cors_origins - whether or not to allow all origins - allowed_cors_origins - a list of allowed origins (used if allow_all_cors_origins is false)
This commit is contained in:
@@ -151,8 +151,22 @@ bool FunctionBase::IsCorsMethodAvailable(Request::Method method)
|
||||
|
||||
bool FunctionBase::IsCorsOriginAvailable(const std::wstring & origin_url)
|
||||
{
|
||||
// true by default for all urles
|
||||
return true;
|
||||
if( config )
|
||||
{
|
||||
if( config->allow_all_cors_origins )
|
||||
{
|
||||
return true;
|
||||
}
|
||||
else
|
||||
{
|
||||
// origin_url can be a "null" string
|
||||
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin
|
||||
// but in such a case the "null" should be put to the config as well
|
||||
return is_in_list(origin_url, config->allowed_cors_origins);
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
@@ -175,10 +189,25 @@ void FunctionBase::AddAccessControlAllowMethodsHeader(Request::Method method)
|
||||
|
||||
/*
|
||||
* origin_url is the value of Origin header sent by the client
|
||||
* origin_url can be: "null"
|
||||
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin
|
||||
*
|
||||
*/
|
||||
void FunctionBase::AddAccessControlAllowOriginHeader(const std::wstring & origin_url)
|
||||
{
|
||||
cur->request->AddHeader(Header::access_control_allow_origin, origin_url);
|
||||
if( config )
|
||||
{
|
||||
if( config->allow_all_cors_origins )
|
||||
{
|
||||
cur->request->AddHeader(Header::access_control_allow_origin, L"*");
|
||||
}
|
||||
else
|
||||
{
|
||||
// method IsCorsOriginAvailable(..) was called beforehand so now we assume
|
||||
// that the origin_url is permitted
|
||||
cur->request->AddHeader(Header::access_control_allow_origin, origin_url);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -246,27 +275,34 @@ void FunctionBase::MakeOptions()
|
||||
* (we allow Access-Control-Request-Headers not to be present)
|
||||
*/
|
||||
Request::Method method = Request::CheckRequestMethod(cors_method->get_wstr()->c_str());
|
||||
bool cors_available = false;
|
||||
|
||||
if( IsCorsMethodAvailable(method) && IsCorsOriginAvailable(*cors_origin->get_wstr()) )
|
||||
{
|
||||
bool cors_available = true;
|
||||
cors_available = true;
|
||||
|
||||
if( cors_headers && cors_headers->is_wstr() )
|
||||
{
|
||||
cors_available = AreCorsHeadersAvailable(*cors_headers->get_wstr());
|
||||
}
|
||||
}
|
||||
|
||||
if( cors_available )
|
||||
if( cors_available )
|
||||
{
|
||||
AddAccessControlAllowMethodsHeader(method);
|
||||
AddAccessControlAllowOriginHeader(*cors_origin->get_wstr());
|
||||
AddAccessControlMaxAgeHeader();
|
||||
|
||||
if( cors_headers && cors_headers->is_wstr() )
|
||||
{
|
||||
AddAccessControlAllowMethodsHeader(method);
|
||||
AddAccessControlAllowOriginHeader(*cors_origin->get_wstr());
|
||||
AddAccessControlMaxAgeHeader();
|
||||
|
||||
if( cors_headers && cors_headers->is_wstr() )
|
||||
{
|
||||
AddAccessControlAllowHeadersHeader(*cors_headers->get_wstr());
|
||||
}
|
||||
AddAccessControlAllowHeadersHeader(*cors_headers->get_wstr());
|
||||
}
|
||||
|
||||
log << log3 << "FunctionBase: cors requests are permitted" << logend;
|
||||
}
|
||||
else
|
||||
{
|
||||
log << log2 << "FunctionBase: cors requests are not permitted" << logend;
|
||||
}
|
||||
}
|
||||
else
|
||||
|
||||
Reference in New Issue
Block a user