discourse/config/initializers/008-rack-cors.rb

# frozen_string_literal: true

class Discourse::Cors
  ORIGINS_ENV = "Discourse_Cors_Origins"

  def initialize(app, options = nil)
    @app = app
    if GlobalSetting.enable_cors && GlobalSetting.cors_origin.present?
      @global_origins = GlobalSetting.cors_origin.split(',').map { |x| x.strip.chomp('/') }
    end
  end

  def call(env)

    cors_origins = @global_origins || []
    cors_origins += SiteSetting.cors_origins.split('|') if SiteSetting.cors_origins.present?
    cors_origins = cors_origins.presence

    if env['REQUEST_METHOD'] == ('OPTIONS') && env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
      return [200, Discourse::Cors.apply_headers(cors_origins, env, {}), []]
    end

    env[Discourse::Cors::ORIGINS_ENV] = cors_origins if cors_origins

    status, headers, body = @app.call(env)
    headers ||= {}

    Discourse::Cors.apply_headers(cors_origins, env, headers)

    [status, headers, body]
  end

  def self.apply_headers(cors_origins, env, headers)
    request_method = env['REQUEST_METHOD']
    cdn_endpoints = ["/assets", "/javascripts"]

    if cdn_endpoints.include?(env['SCRIPT_NAME']) && Discourse.is_cdn_request?(env, request_method)
      Discourse.apply_cdn_headers(headers)
    elsif cors_origins
      origin = nil
      if origin = env['HTTP_ORIGIN']
        origin = nil unless cors_origins.include?(origin)
      end

      headers['Access-Control-Allow-Origin'] = origin || cors_origins[0]
      headers['Access-Control-Allow-Headers'] = 'Content-Type, Cache-Control, X-Requested-With, X-CSRF-Token, Discourse-Present, User-Api-Key, User-Api-Client-Id, Authorization'
      headers['Access-Control-Allow-Credentials'] = 'true'
      headers['Access-Control-Allow-Methods'] = 'POST, PUT, GET, OPTIONS, DELETE'
    end

    headers
  end
end

if GlobalSetting.enable_cors || GlobalSetting.cdn_url
  Rails.configuration.middleware.insert_before ActionDispatch::Flash, Discourse::Cors
end
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`# frozen_string_literal: true`

			`class Discourse::Cors`
			`ORIGINS_ENV = "Discourse_Cors_Origins"`

			`def initialize(app, options = nil)`
			`@app = app`
			`if GlobalSetting.enable_cors && GlobalSetting.cors_origin.present?`
FIX: strip the trailing slash (/) of cors origins. (#10996) Strips trailing `/` from global settings Provides a validation for site settings to ensure a trailing `/` is not added 2020-10-29 10:01:06 +08:00			`@global_origins = GlobalSetting.cors_origin.split(',').map { \|x\| x.strip.chomp('/') }`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 15:03:52 +08:00			`end`
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`end`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 15:03:52 +08:00
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`def call(env)`

			`cors_origins = @global_origins \|\| []`
			`cors_origins += SiteSetting.cors_origins.split('\|') if SiteSetting.cors_origins.present?`
			`cors_origins = cors_origins.presence`
Allow OPTIONS requests when CORS is enabled 2015-05-14 23:14:29 +08:00
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`if env['REQUEST_METHOD'] == ('OPTIONS') && env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']`
			`return [200, Discourse::Cors.apply_headers(cors_origins, env, {}), []]`
Allow OPTIONS requests when CORS is enabled 2015-05-14 23:14:29 +08:00			`end`

FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`env[Discourse::Cors::ORIGINS_ENV] = cors_origins if cors_origins`
Allow OPTIONS requests when CORS is enabled 2015-05-14 23:14:29 +08:00
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`status, headers, body = @app.call(env)`
			`headers \|\|= {}`
FEATURE: CORS settings per-site in a multisite env 2011-10-16 02:00:00 +08:00
DEV: apply allow origin response header for CDN requests. (#11893) Currently, it creates a CORS error while accessing those static files. 2021-01-29 10:14:49 +08:00			`Discourse::Cors.apply_headers(cors_origins, env, headers)`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 15:03:52 +08:00
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`[status, headers, body]`
			`end`

			`def self.apply_headers(cors_origins, env, headers)`
DEV: apply allow origin response header for CDN requests. (#11893) Currently, it creates a CORS error while accessing those static files. 2021-01-29 10:14:49 +08:00			`request_method = env['REQUEST_METHOD']`
DEV: apply cdn headers to public javascripts endpoint too. (#11942) It will add CORS header `Access-Control-Allow-Origin: '*'` to the files inside `public/javascripts` folder. 2021-02-03 22:45:52 +08:00			`cdn_endpoints = ["/assets", "/javascripts"]`
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00
DEV: apply cdn headers to public javascripts endpoint too. (#11942) It will add CORS header `Access-Control-Allow-Origin: '*'` to the files inside `public/javascripts` folder. 2021-02-03 22:45:52 +08:00			`if cdn_endpoints.include?(env['SCRIPT_NAME']) && Discourse.is_cdn_request?(env, request_method)`
DEV: apply allow origin response header for CDN requests. (#11893) Currently, it creates a CORS error while accessing those static files. 2021-01-29 10:14:49 +08:00			`Discourse.apply_cdn_headers(headers)`
			`elsif cors_origins`
			`origin = nil`
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`if origin = env['HTTP_ORIGIN']`
			`origin = nil unless cors_origins.include?(origin)`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 15:03:52 +08:00			`end`

FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`headers['Access-Control-Allow-Origin'] = origin \|\| cors_origins[0]`
FEATURE: Stricter rules for user presence Previously we would consider a user "present" and "last seen" if the browser window was visible. This has many edge cases, you could be considered present and around for days just by having a window open and no screensaver on. Instead we now also check that you either clicked, transitioned around app or scrolled the page in the last minute in combination with window visibility This will lead to more reliable notifications via email and reduce load of message bus for cases where a user walks away from the terminal 2020-03-26 14:35:32 +08:00			`headers['Access-Control-Allow-Headers'] = 'Content-Type, Cache-Control, X-Requested-With, X-CSRF-Token, Discourse-Present, User-Api-Key, User-Api-Client-Id, Authorization'`
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`headers['Access-Control-Allow-Credentials'] = 'true'`
FEATURE: Updated CORS config to explicitly specifyhttp methods See: https://stackoverflow.com/questions/20478312/default-value-for-access-control-allow-methods In particular we now explicitly allow DELETE and PUT which is inconsistently allowed depending on browser 2018-09-17 09:01:08 +08:00			`headers['Access-Control-Allow-Methods'] = 'POST, PUT, GET, OPTIONS, DELETE'`
Implements support for rack-cors for API JavaScript access in end-user browser 2013-04-22 17:16:58 +08:00			`end`
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00
			`headers`
Implements support for rack-cors for API JavaScript access in end-user browser 2013-04-22 17:16:58 +08:00			`end`
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`end`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 15:03:52 +08:00
DEV: apply allow origin response header for CDN requests. (#11893) Currently, it creates a CORS error while accessing those static files. 2021-01-29 10:14:49 +08:00			`if GlobalSetting.enable_cors \|\| GlobalSetting.cdn_url`
FIX: CORS middleware needs to happen earlier than AnonymousCache middleware 2017-03-07 01:24:57 +08:00			`Rails.configuration.middleware.insert_before ActionDispatch::Flash, Discourse::Cors`
Implements support for rack-cors for API JavaScript access in end-user browser 2013-04-22 17:16:58 +08:00			`end`