discourse/config/initializers/008-rack-cors.rb

# frozen_string_literal: true

class Discourse::Cors
  ORIGINS_ENV = "Discourse_Cors_Origins"

  def initialize(app, options = nil)
    @app = app
    if GlobalSetting.enable_cors && GlobalSetting.cors_origin.present?
      @global_origins = GlobalSetting.cors_origin.split(',').map(&:strip)
    end
  end

  def call(env)

    cors_origins = @global_origins || []
    cors_origins += SiteSetting.cors_origins.split('|') if SiteSetting.cors_origins.present?
    cors_origins = cors_origins.presence

    if env['REQUEST_METHOD'] == ('OPTIONS') && env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
      return [200, Discourse::Cors.apply_headers(cors_origins, env, {}), []]
    end

    env[Discourse::Cors::ORIGINS_ENV] = cors_origins if cors_origins

    status, headers, body = @app.call(env)
    headers ||= {}

    Discourse::Cors.apply_headers(cors_origins, env, headers) if cors_origins

    [status, headers, body]
  end

  def self.apply_headers(cors_origins, env, headers)
    origin = nil

    if cors_origins
      if origin = env['HTTP_ORIGIN']
        origin = nil unless cors_origins.include?(origin)
      end

      headers['Access-Control-Allow-Origin'] = origin || cors_origins[0]
      headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-CSRF-Token, Discourse-Visible, User-Api-Key, User-Api-Client-Id'
      headers['Access-Control-Allow-Credentials'] = 'true'
    end

    headers
  end
end

if GlobalSetting.enable_cors
  Rails.configuration.middleware.insert_before ActionDispatch::Flash, Discourse::Cors
end
FIX: handle CORS in hijacked requests 2017-12-06 18:30:50 -05:00			`# frozen_string_literal: true`

			`class Discourse::Cors`
			`ORIGINS_ENV = "Discourse_Cors_Origins"`

			`def initialize(app, options = nil)`
			`@app = app`
			`if GlobalSetting.enable_cors && GlobalSetting.cors_origin.present?`
			`@global_origins = GlobalSetting.cors_origin.split(',').map(&:strip)`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 03:03:52 -04:00			`end`
FIX: handle CORS in hijacked requests 2017-12-06 18:30:50 -05:00			`end`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 03:03:52 -04:00
FIX: handle CORS in hijacked requests 2017-12-06 18:30:50 -05:00			`def call(env)`

			`cors_origins = @global_origins \|\| []`
			`cors_origins += SiteSetting.cors_origins.split('\|') if SiteSetting.cors_origins.present?`
			`cors_origins = cors_origins.presence`
Allow OPTIONS requests when CORS is enabled 2015-05-14 11:14:29 -04:00
FIX: handle CORS in hijacked requests 2017-12-06 18:30:50 -05:00			`if env['REQUEST_METHOD'] == ('OPTIONS') && env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']`
			`return [200, Discourse::Cors.apply_headers(cors_origins, env, {}), []]`
Allow OPTIONS requests when CORS is enabled 2015-05-14 11:14:29 -04:00			`end`

FIX: handle CORS in hijacked requests 2017-12-06 18:30:50 -05:00			`env[Discourse::Cors::ORIGINS_ENV] = cors_origins if cors_origins`
Allow OPTIONS requests when CORS is enabled 2015-05-14 11:14:29 -04:00
FIX: handle CORS in hijacked requests 2017-12-06 18:30:50 -05:00			`status, headers, body = @app.call(env)`
			`headers \|\|= {}`
FEATURE: CORS settings per-site in a multisite env 2011-10-15 14:00:00 -04:00
FIX: handle CORS in hijacked requests 2017-12-06 18:30:50 -05:00			`Discourse::Cors.apply_headers(cors_origins, env, headers) if cors_origins`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 03:03:52 -04:00
FIX: handle CORS in hijacked requests 2017-12-06 18:30:50 -05:00			`[status, headers, body]`
			`end`

			`def self.apply_headers(cors_origins, env, headers)`
			`origin = nil`

			`if cors_origins`
			`if origin = env['HTTP_ORIGIN']`
			`origin = nil unless cors_origins.include?(origin)`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 03:03:52 -04:00			`end`

FIX: handle CORS in hijacked requests 2017-12-06 18:30:50 -05:00			`headers['Access-Control-Allow-Origin'] = origin \|\| cors_origins[0]`
FIX: Add User Api Key headers to CORS - add User-Api-Key and User-Api-Client-Id to Access-Control-Allow-Headers - update test 2018-07-23 20:28:23 -04:00			`headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-CSRF-Token, Discourse-Visible, User-Api-Key, User-Api-Client-Id'`
FIX: handle CORS in hijacked requests 2017-12-06 18:30:50 -05:00			`headers['Access-Control-Allow-Credentials'] = 'true'`
Implements support for rack-cors for API JavaScript access in end-user browser 2013-04-22 05:16:58 -04:00			`end`
FIX: handle CORS in hijacked requests 2017-12-06 18:30:50 -05:00
			`headers`
Implements support for rack-cors for API JavaScript access in end-user browser 2013-04-22 05:16:58 -04:00			`end`
FIX: handle CORS in hijacked requests 2017-12-06 18:30:50 -05:00			`end`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 03:03:52 -04:00
FIX: handle CORS in hijacked requests 2017-12-06 18:30:50 -05:00			`if GlobalSetting.enable_cors`
FIX: CORS middleware needs to happen earlier than AnonymousCache middleware 2017-03-06 12:24:57 -05:00			`Rails.configuration.middleware.insert_before ActionDispatch::Flash, Discourse::Cors`
Implements support for rack-cors for API JavaScript access in end-user browser 2013-04-22 05:16:58 -04:00			`end`