SECURITY: extra CORS headers should be set on correct host

This commit is contained in:
Sam 2018-07-11 09:29:02 +10:00
parent 6f25421a06
commit 297b899c68

View File

@ -10,14 +10,14 @@ end
def setup_message_bus_env(env)
return if env["__mb"]
extra_headers = {
"Access-Control-Allow-Origin" => Discourse.base_url_no_prefix,
"Access-Control-Allow-Methods" => "GET, POST",
"Access-Control-Allow-Headers" => "X-SILENCE-LOGGER, X-Shared-Session-Key, Dont-Chunk, Discourse-Visible"
}
host = RailsMultisite::ConnectionManagement.host(env)
RailsMultisite::ConnectionManagement.with_hostname(host) do
extra_headers = {
"Access-Control-Allow-Origin" => Discourse.base_url_no_prefix,
"Access-Control-Allow-Methods" => "GET, POST",
"Access-Control-Allow-Headers" => "X-SILENCE-LOGGER, X-Shared-Session-Key, Dont-Chunk, Discourse-Visible"
}
user = nil
begin
user = CurrentUser.lookup_from_env(env)