discourse/config/initializers/008-rack-cors.rb

59 lines
1.9 KiB
Ruby

# frozen_string_literal: true
class Discourse::Cors
ORIGINS_ENV = "Discourse_Cors_Origins"
def initialize(app, options = nil)
@app = app
if GlobalSetting.enable_cors && GlobalSetting.cors_origin.present?
@global_origins = GlobalSetting.cors_origin.split(",").map { |x| x.strip.chomp("/") }
end
end
def call(env)
return @app.call(env) if !GlobalSetting.enable_cors && !GlobalSetting.cdn_url
cors_origins = @global_origins || []
cors_origins += SiteSetting.cors_origins.split("|") if SiteSetting.cors_origins.present?
cors_origins = cors_origins.presence
if env["REQUEST_METHOD"] == ("OPTIONS") && env["HTTP_ACCESS_CONTROL_REQUEST_METHOD"]
return 200, Discourse::Cors.apply_headers(cors_origins, env, {}), []
end
env[Discourse::Cors::ORIGINS_ENV] = cors_origins if cors_origins
status, headers, body = @app.call(env)
headers ||= {}
Discourse::Cors.apply_headers(cors_origins, env, headers)
[status, headers, body]
end
def self.apply_headers(cors_origins, env, headers)
request_method = env["REQUEST_METHOD"]
if headers["Access-Control-Allow-Origin"]
# Already configured. Probably by ApplicationController#apply_cdn_headers
elsif cors_origins
origin = nil
if origin = env["HTTP_ORIGIN"]
origin = nil if cors_origins.exclude?(origin)
end
headers["Access-Control-Allow-Origin"] = origin || cors_origins[0]
headers[
"Access-Control-Allow-Headers"
] = "Content-Type, Cache-Control, X-Requested-With, X-CSRF-Token, Discourse-Present, User-Api-Key, User-Api-Client-Id, Authorization"
headers["Access-Control-Allow-Credentials"] = "true"
headers["Access-Control-Allow-Methods"] = "POST, PUT, GET, OPTIONS, DELETE"
headers["Access-Control-Max-Age"] = "7200"
end
headers
end
end
Rails.configuration.middleware.insert_before ActionDispatch::Flash, Discourse::Cors