2017-12-07 07:30:50 +08:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
class Discourse::Cors
|
|
|
|
ORIGINS_ENV = "Discourse_Cors_Origins"
|
|
|
|
|
|
|
|
def initialize(app, options = nil)
|
|
|
|
@app = app
|
|
|
|
if GlobalSetting.enable_cors && GlobalSetting.cors_origin.present?
|
2020-10-29 10:01:06 +08:00
|
|
|
@global_origins = GlobalSetting.cors_origin.split(",").map { |x| x.strip.chomp("/") }
|
2014-07-23 15:03:52 +08:00
|
|
|
end
|
2017-12-07 07:30:50 +08:00
|
|
|
end
|
2014-07-23 15:03:52 +08:00
|
|
|
|
2017-12-07 07:30:50 +08:00
|
|
|
def call(env)
|
|
|
|
cors_origins = @global_origins || []
|
|
|
|
cors_origins += SiteSetting.cors_origins.split("|") if SiteSetting.cors_origins.present?
|
|
|
|
cors_origins = cors_origins.presence
|
2015-05-14 23:14:29 +08:00
|
|
|
|
2017-12-07 07:30:50 +08:00
|
|
|
if env["REQUEST_METHOD"] == ("OPTIONS") && env["HTTP_ACCESS_CONTROL_REQUEST_METHOD"]
|
|
|
|
return 200, Discourse::Cors.apply_headers(cors_origins, env, {}), []
|
2015-05-14 23:14:29 +08:00
|
|
|
end
|
|
|
|
|
2017-12-07 07:30:50 +08:00
|
|
|
env[Discourse::Cors::ORIGINS_ENV] = cors_origins if cors_origins
|
2015-05-14 23:14:29 +08:00
|
|
|
|
2017-12-07 07:30:50 +08:00
|
|
|
status, headers, body = @app.call(env)
|
|
|
|
headers ||= {}
|
2011-10-16 02:00:00 +08:00
|
|
|
|
2021-01-29 10:14:49 +08:00
|
|
|
Discourse::Cors.apply_headers(cors_origins, env, headers)
|
2014-07-23 15:03:52 +08:00
|
|
|
|
2017-12-07 07:30:50 +08:00
|
|
|
[status, headers, body]
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.apply_headers(cors_origins, env, headers)
|
2021-01-29 10:14:49 +08:00
|
|
|
request_method = env["REQUEST_METHOD"]
|
2017-12-07 07:30:50 +08:00
|
|
|
|
2021-02-05 11:39:55 +08:00
|
|
|
if env["REQUEST_PATH"] =~ %r{/(javascripts|assets)/} &&
|
|
|
|
Discourse.is_cdn_request?(env, request_method)
|
2021-01-29 10:14:49 +08:00
|
|
|
Discourse.apply_cdn_headers(headers)
|
|
|
|
elsif cors_origins
|
|
|
|
origin = nil
|
2017-12-07 07:30:50 +08:00
|
|
|
if origin = env["HTTP_ORIGIN"]
|
|
|
|
origin = nil unless cors_origins.include?(origin)
|
2014-07-23 15:03:52 +08:00
|
|
|
end
|
|
|
|
|
2017-12-07 07:30:50 +08:00
|
|
|
headers["Access-Control-Allow-Origin"] = origin || cors_origins[0]
|
2020-03-26 14:35:32 +08:00
|
|
|
headers[
|
|
|
|
"Access-Control-Allow-Headers"
|
|
|
|
] = "Content-Type, Cache-Control, X-Requested-With, X-CSRF-Token, Discourse-Present, User-Api-Key, User-Api-Client-Id, Authorization"
|
2017-12-07 07:30:50 +08:00
|
|
|
headers["Access-Control-Allow-Credentials"] = "true"
|
2018-09-17 09:01:08 +08:00
|
|
|
headers["Access-Control-Allow-Methods"] = "POST, PUT, GET, OPTIONS, DELETE"
|
2021-10-15 09:37:53 +08:00
|
|
|
headers["Access-Control-Max-Age"] = "7200"
|
2013-04-22 17:16:58 +08:00
|
|
|
end
|
2017-12-07 07:30:50 +08:00
|
|
|
|
|
|
|
headers
|
2013-04-22 17:16:58 +08:00
|
|
|
end
|
2017-12-07 07:30:50 +08:00
|
|
|
end
|
2014-07-23 15:03:52 +08:00
|
|
|
|
2021-01-29 10:14:49 +08:00
|
|
|
if GlobalSetting.enable_cors || GlobalSetting.cdn_url
|
2017-03-07 01:24:57 +08:00
|
|
|
Rails.configuration.middleware.insert_before ActionDispatch::Flash, Discourse::Cors
|
2013-04-22 17:16:58 +08:00
|
|
|
end
|