discourse/config/initializers/008-rack-cors.rb

# frozen_string_literal: true

class Discourse::Cors
  ORIGINS_ENV = "Discourse_Cors_Origins"

  def initialize(app, options = nil)
    @app = app
    if GlobalSetting.enable_cors && GlobalSetting.cors_origin.present?
      @global_origins = GlobalSetting.cors_origin.split(",").map { |x| x.strip.chomp("/") }
    end
  end

  def call(env)
    return @app.call(env) if !GlobalSetting.enable_cors && !GlobalSetting.cdn_url

    cors_origins = @global_origins || []
    cors_origins += SiteSetting.cors_origins.split("|") if SiteSetting.cors_origins.present?
    cors_origins = cors_origins.presence

    if env["REQUEST_METHOD"] == ("OPTIONS") && env["HTTP_ACCESS_CONTROL_REQUEST_METHOD"]
      return 200, Discourse::Cors.apply_headers(cors_origins, env, {}), []
    end

    env[Discourse::Cors::ORIGINS_ENV] = cors_origins if cors_origins

    status, headers, body = @app.call(env)
    headers ||= {}

    Discourse::Cors.apply_headers(cors_origins, env, headers)

    [status, headers, body]
  end

  def self.apply_headers(cors_origins, env, headers)
    request_method = env["REQUEST_METHOD"]

    if headers["Access-Control-Allow-Origin"]
      # Already configured. Probably by ApplicationController#apply_cdn_headers
    elsif cors_origins
      origin = nil
      if origin = env["HTTP_ORIGIN"]
        origin = nil unless cors_origins.include?(origin)
      end

      headers["Access-Control-Allow-Origin"] = origin || cors_origins[0]
      headers[
        "Access-Control-Allow-Headers"
      ] = "Content-Type, Cache-Control, X-Requested-With, X-CSRF-Token, Discourse-Present, User-Api-Key, User-Api-Client-Id, Authorization"
      headers["Access-Control-Allow-Credentials"] = "true"
      headers["Access-Control-Allow-Methods"] = "POST, PUT, GET, OPTIONS, DELETE"
      headers["Access-Control-Max-Age"] = "7200"
    end

    headers
  end
end

Rails.configuration.middleware.insert_before ActionDispatch::Flash, Discourse::Cors
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`# frozen_string_literal: true`

			`class Discourse::Cors`
			`ORIGINS_ENV = "Discourse_Cors_Origins"`

			`def initialize(app, options = nil)`
			`@app = app`
			`if GlobalSetting.enable_cors && GlobalSetting.cors_origin.present?`
FIX: strip the trailing slash (/) of cors origins. (#10996) Strips trailing `/` from global settings Provides a validation for site settings to ensure a trailing `/` is not added 2020-10-29 10:01:06 +08:00			`@global_origins = GlobalSetting.cors_origin.split(",").map { \|x\| x.strip.chomp("/") }`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 15:03:52 +08:00			`end`
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`end`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 15:03:52 +08:00
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`def call(env)`
FIX: Ensure app-cdn CORS is not overridden by cors_origin setting (#24661) We add `Access-Control-Allow-Origin: ` to all asset requests which are requested via a configured CDN. This is particularly important now that we're using browser-native `import()` to load the highlightjs bundle. Unfortunately, user-configurable 'cors_origins' site setting was overriding the wldcard value on CDN assets and causing CORS errors. This commit updates the logic to give the `` value precedence, and adds a spec for the situation. It also invalidates the cache of hljs assets (because CDNs will have cached the bad Access-Control-Allow-Origin header). The rack-cors middleware is also slightly tweaked so that it is always inserted. This makes things easier to test and more consistent. 2023-12-01 20:57:11 +08:00			`return @app.call(env) if !GlobalSetting.enable_cors && !GlobalSetting.cdn_url`

FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`cors_origins = @global_origins \|\| []`
			`cors_origins += SiteSetting.cors_origins.split("\|") if SiteSetting.cors_origins.present?`
			`cors_origins = cors_origins.presence`
Allow OPTIONS requests when CORS is enabled 2015-05-14 23:14:29 +08:00
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`if env["REQUEST_METHOD"] == ("OPTIONS") && env["HTTP_ACCESS_CONTROL_REQUEST_METHOD"]`
			`return 200, Discourse::Cors.apply_headers(cors_origins, env, {}), []`
Allow OPTIONS requests when CORS is enabled 2015-05-14 23:14:29 +08:00			`end`

FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`env[Discourse::Cors::ORIGINS_ENV] = cors_origins if cors_origins`
Allow OPTIONS requests when CORS is enabled 2015-05-14 23:14:29 +08:00
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`status, headers, body = @app.call(env)`
			`headers \|\|= {}`
FEATURE: CORS settings per-site in a multisite env 2011-10-16 02:00:00 +08:00
DEV: apply allow origin response header for CDN requests. (#11893) Currently, it creates a CORS error while accessing those static files. 2021-01-29 10:14:49 +08:00			`Discourse::Cors.apply_headers(cors_origins, env, headers)`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 15:03:52 +08:00
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`[status, headers, body]`
			`end`

			`def self.apply_headers(cors_origins, env, headers)`
DEV: apply allow origin response header for CDN requests. (#11893) Currently, it creates a CORS error while accessing those static files. 2021-01-29 10:14:49 +08:00			`request_method = env["REQUEST_METHOD"]`
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00
FIX: Ensure app-cdn CORS is not overridden by cors_origin setting (#24661) We add `Access-Control-Allow-Origin: ` to all asset requests which are requested via a configured CDN. This is particularly important now that we're using browser-native `import()` to load the highlightjs bundle. Unfortunately, user-configurable 'cors_origins' site setting was overriding the wldcard value on CDN assets and causing CORS errors. This commit updates the logic to give the `` value precedence, and adds a spec for the situation. It also invalidates the cache of hljs assets (because CDNs will have cached the bad Access-Control-Allow-Origin header). The rack-cors middleware is also slightly tweaked so that it is always inserted. This makes things easier to test and more consistent. 2023-12-01 20:57:11 +08:00			`if headers["Access-Control-Allow-Origin"]`
			`# Already configured. Probably by ApplicationController#apply_cdn_headers`
DEV: apply allow origin response header for CDN requests. (#11893) Currently, it creates a CORS error while accessing those static files. 2021-01-29 10:14:49 +08:00			`elsif cors_origins`
			`origin = nil`
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`if origin = env["HTTP_ORIGIN"]`
			`origin = nil unless cors_origins.include?(origin)`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 15:03:52 +08:00			`end`

FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`headers["Access-Control-Allow-Origin"] = origin \|\| cors_origins[0]`
FEATURE: Stricter rules for user presence Previously we would consider a user "present" and "last seen" if the browser window was visible. This has many edge cases, you could be considered present and around for days just by having a window open and no screensaver on. Instead we now also check that you either clicked, transitioned around app or scrolled the page in the last minute in combination with window visibility This will lead to more reliable notifications via email and reduce load of message bus for cases where a user walks away from the terminal 2020-03-26 14:35:32 +08:00			`headers[`
			`"Access-Control-Allow-Headers"`
			`] = "Content-Type, Cache-Control, X-Requested-With, X-CSRF-Token, Discourse-Present, User-Api-Key, User-Api-Client-Id, Authorization"`
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`headers["Access-Control-Allow-Credentials"] = "true"`
FEATURE: Updated CORS config to explicitly specifyhttp methods See: https://stackoverflow.com/questions/20478312/default-value-for-access-control-allow-methods In particular we now explicitly allow DELETE and PUT which is inconsistently allowed depending on browser 2018-09-17 09:01:08 +08:00			`headers["Access-Control-Allow-Methods"] = "POST, PUT, GET, OPTIONS, DELETE"`
FEATURE: Cache CORS preflight requests for 2h (#14614) * FEATURE: Cache CORS preflight requests for 2h Browsers will cache this for 5 seconds by default. If using MessageBus in a different domain, Discourse will issue a new long polling, by default, every 30s or so. This means we would be issuing a new preflight request every time. This can be incredibly wasteful, so let's cache the authorization in the client for 2h, which is the maximum Chromium allows us as of today. * fix tests 2021-10-15 09:37:53 +08:00			`headers["Access-Control-Max-Age"] = "7200"`
Implements support for rack-cors for API JavaScript access in end-user browser 2013-04-22 17:16:58 +08:00			`end`
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00
			`headers`
Implements support for rack-cors for API JavaScript access in end-user browser 2013-04-22 17:16:58 +08:00			`end`
FIX: handle CORS in hijacked requests 2017-12-07 07:30:50 +08:00			`end`
FIX: cors setting was broken Some days I wonder why we bother taking a whole gem dependency when 10 lines of code does the job right 2014-07-23 15:03:52 +08:00
FIX: Ensure app-cdn CORS is not overridden by cors_origin setting (#24661) We add `Access-Control-Allow-Origin: ` to all asset requests which are requested via a configured CDN. This is particularly important now that we're using browser-native `import()` to load the highlightjs bundle. Unfortunately, user-configurable 'cors_origins' site setting was overriding the wldcard value on CDN assets and causing CORS errors. This commit updates the logic to give the `` value precedence, and adds a spec for the situation. It also invalidates the cache of hljs assets (because CDNs will have cached the bad Access-Control-Allow-Origin header). The rack-cors middleware is also slightly tweaked so that it is always inserted. This makes things easier to test and more consistent. 2023-12-01 20:57:11 +08:00			`Rails.configuration.middleware.insert_before ActionDispatch::Flash, Discourse::Cors`