discourse/config/initializers/008-rack-cors.rb

if GlobalSetting.enable_cors
  class Discourse::Cors
    def initialize(app, options = nil)
      @app = app
      if GlobalSetting.enable_cors && GlobalSetting.cors_origin.present?
        @global_origins = GlobalSetting.cors_origin.split(',').map(&:strip)
      end
    end

    def call(env)
      if env['REQUEST_METHOD'] == 'OPTIONS' and env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
        return [200, apply_headers(env), []]
      end

      status, headers, body = @app.call(env)
      [status, apply_headers(env, headers), body]
    end

    def apply_headers(env, headers=nil)
      headers ||= {}

      origin = nil
      cors_origins = @global_origins || []
      cors_origins += SiteSetting.cors_origins.split('|') if SiteSetting.cors_origins

      if cors_origins
        if origin = env['HTTP_ORIGIN']
          origin = nil unless cors_origins.include?(origin)
        end

        headers['Access-Control-Allow-Origin'] = origin || cors_origins[0]
        headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-CSRF-Token, Discourse-Visible'
        headers['Access-Control-Allow-Credentials'] = 'true'
      end

      headers
    end
  end

  Rails.configuration.middleware.insert_before ActionDispatch::Flash, Discourse::Cors
end
FEATURE: CORS settings per-site in a multisite env 2011-10-15 14:00:00 -04:00			`if GlobalSetting.enable_cors`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 03:03:52 -04:00			`class Discourse::Cors`
			`def initialize(app, options = nil)`
			`@app = app`
FEATURE: CORS settings per-site in a multisite env 2011-10-15 14:00:00 -04:00			`if GlobalSetting.enable_cors && GlobalSetting.cors_origin.present?`
			`@global_origins = GlobalSetting.cors_origin.split(',').map(&:strip)`
			`end`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 03:03:52 -04:00			`end`

			`def call(env)`
Allow OPTIONS requests when CORS is enabled 2015-05-14 11:14:29 -04:00			`if env['REQUEST_METHOD'] == 'OPTIONS' and env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']`
			`return [200, apply_headers(env), []]`
			`end`

FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 03:03:52 -04:00			`status, headers, body = @app.call(env)`
Allow OPTIONS requests when CORS is enabled 2015-05-14 11:14:29 -04:00			`[status, apply_headers(env, headers), body]`
			`end`

			`def apply_headers(env, headers=nil)`
			`headers \|\|= {}`

FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 03:03:52 -04:00			`origin = nil`
FEATURE: CORS settings per-site in a multisite env 2011-10-15 14:00:00 -04:00			`cors_origins = @global_origins \|\| []`
			`cors_origins += SiteSetting.cors_origins.split('\|') if SiteSetting.cors_origins`

			`if cors_origins`
			`if origin = env['HTTP_ORIGIN']`
			`origin = nil unless cors_origins.include?(origin)`
			`end`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 03:03:52 -04:00
FEATURE: CORS settings per-site in a multisite env 2011-10-15 14:00:00 -04:00			`headers['Access-Control-Allow-Origin'] = origin \|\| cors_origins[0]`
FIX: add Discourse-Visible to CORS allowed headers for sites that use a proxy 2017-03-06 14:41:57 -05:00			`headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-CSRF-Token, Discourse-Visible'`
Enable CORS requests to pass necessary headers. To fully enable session deletion over CORS we need support for passing the `X-Requested-With` header so that these requests can pass the `check-xhr` filter. I also allowed the `X-CSRF-Token` to enable the alternative CSRF passing syntax. 2015-05-14 12:46:36 -04:00			`headers['Access-Control-Allow-Credentials'] = 'true'`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 03:03:52 -04:00			`end`

Allow OPTIONS requests when CORS is enabled 2015-05-14 11:14:29 -04:00			`headers`
Implements support for rack-cors for API JavaScript access in end-user browser 2013-04-22 05:16:58 -04:00			`end`
			`end`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 03:03:52 -04:00
FIX: CORS middleware needs to happen earlier than AnonymousCache middleware 2017-03-06 12:24:57 -05:00			`Rails.configuration.middleware.insert_before ActionDispatch::Flash, Discourse::Cors`
Implements support for rack-cors for API JavaScript access in end-user browser 2013-04-22 05:16:58 -04:00			`end`