FEATURE: CORS settings per-site in a multisite env

2011-10-15 14:00:00 -04:00 · 2011-10-15 14:00:00 -04:00 · f88075cbba
parent bb59798066
commit f88075cbba
4 changed files with 19 additions and 9 deletions
--- a/config/discourse_defaults.conf
+++ b/config/discourse_defaults.conf
@ -93,7 +93,7 @@ asset_redis_url =

 # enable Cross-origin Resource Sharing (CORS) directly at the application level
 enable_cors = false
-cors_origin = '*'
+cors_origin = ''

 # enable if you really need to serve assets in prd
 serve_static_assets = false
--- a/config/initializers/08-rack-cors.rb
+++ b/config/initializers/08-rack-cors.rb
@ -1,24 +1,30 @@
-if GlobalSetting.enable_cors && GlobalSetting.cors_origin.present?
-
+if GlobalSetting.enable_cors
  class Discourse::Cors
    def initialize(app, options = nil)
      @app = app
-      @origins = GlobalSetting.cors_origin.split(',').map(&:strip)
+      if GlobalSetting.enable_cors && GlobalSetting.cors_origin.present?
+        @global_origins = GlobalSetting.cors_origin.split(',').map(&:strip)
+      end
    end

    def call(env)
      status, headers, body = @app.call(env)
      origin = nil
+      cors_origins = @global_origins || []
+      cors_origins += SiteSetting.cors_origins.split('|') if SiteSetting.cors_origins

-      if origin = env['HTTP_ORIGIN']
-        origin = nil unless @origins.include? origin
+      if cors_origins
+        if origin = env['HTTP_ORIGIN']
+          origin = nil unless cors_origins.include?(origin)
+        end
+
+        headers['Access-Control-Allow-Origin'] = origin || cors_origins[0]
+        headers['Access-Control-Allow-Credentials'] = "true"
      end

-      headers['Access-Control-Allow-Origin'] = origin || @origins[0]
-      headers['Access-Control-Allow-Credentials'] = "true"
      [status,headers,body]
    end
  end

-  Rails.configuration.middleware.insert 0, Discourse::Cors
+  Rails.configuration.middleware.use Discourse::Cors
 end
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -726,6 +726,7 @@ en:
    enable_escaped_fragments: "Fall back to Google's Ajax-Crawling API if no webcrawler is detected. See https://support.google.com/webmasters/answer/174992?hl=en"
    enable_noscript_support: "Enable standard webcrawler search engine support via the noscript tag"
    allow_moderators_to_create_categories: "Allow moderators to create new categories"
+    cors_origins: "Allowed origins for cross-origin requests (CORS). Each origin must include http:// or https://. The DISCOURSE_ENABLE_CORS env variable must be set to true to enable CORS."
    top_menu: "Determine which items appear in the homepage navigation, and in what order. Example latest|new|unread|starred|categories|top|read|posted"
    post_menu: "Determine which items appear on the post menu, and in what order. Example like|edit|flag|delete|share|bookmark|reply"
    post_menu_hidden_items: "The menu items to hide by default in the post menu unless an expansion ellipsis is clicked on."
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -542,6 +542,9 @@ security:
  allow_index_in_robots_txt: true
  enable_noscript_support: true
  allow_moderators_to_create_categories: false
+  cors_origins:
+    default: ''
+    type: list

 onebox:
  enable_flash_video_onebox: false