closes #6556

2025-12-24 01:10:31 +01:00 · 2018-06-06 13:11:43 -04:00
parent db1d10cf4c
commit 14f6e74bad
4 changed files with 89 additions and 0 deletions
--- a/public/language/en-GB/admin/settings/advanced.json
+++ b/public/language/en-GB/admin/settings/advanced.json
@@ -6,7 +6,9 @@
 	"headers.allow-from": "Set ALLOW-FROM to Place NodeBB in an iFrame",
 	"headers.powered-by": "Customise the \"Powered By\" header sent by NodeBB",
 	"headers.acao": "Access-Control-Allow-Origin",
+	"headers.acao-regex": "Access-Control-Allow-Origin Regular Expression",
 	"headers.acao-help": "To deny access to all sites, leave empty",
+	"headers.acao-regex-help": "Enter regular expressions here to match dynamic origins. To deny access to all sites, leave empty",
 	"headers.acac": "Access-Control-Allow-Credentials",
 	"headers.acam": "Access-Control-Allow-Methods",
 	"headers.acah": "Access-Control-Allow-Headers",
--- a/src/middleware/headers.js
+++ b/src/middleware/headers.js
@@ -1,6 +1,7 @@
 'use strict';

 var os = require('os');
+var winston = require('winston');

 var meta = require('../meta');

@@ -24,6 +25,25 @@ module.exports = function (middleware) {
 			}
 		}

+		if (meta.config['access-control-allow-origin-regex']) {
+			var originsRegex = meta.config['access-control-allow-origin-regex'].split(',');
+			originsRegex = originsRegex.map(function (origin) {
+				try {
+					origin = new RegExp(origin.trim());
+				} catch (err) {
+					winston.error('[middleware.addHeaders] Invalid RegExp For access-control-allow-origin ' + origin);
+					origin = null;
+				}
+				return origin;
+			});
+
+			originsRegex.forEach(function (regex) {
+				if (regex && regex.test(req.get('origin'))) {
+					headers['Access-Control-Allow-Origin'] = encodeURI(req.get('origin'));
+				}
+			});
+		}
+
 		if (meta.config['access-control-allow-credentials']) {
 			headers['Access-Control-Allow-Credentials'] = meta.config['access-control-allow-credentials'];
 		}
--- a/src/views/admin/settings/advanced.tpl
+++ b/src/views/admin/settings/advanced.tpl
@@ -40,6 +40,13 @@
 					[[admin/settings/advanced:headers.acao-help]]
 				</p>
 			</div>
+			<div class="form-group">
+				<label for="access-control-allow-origin-regex">[[admin/settings/advanced:headers.acao-regex]]</label>
+				<input class="form-control" id="access-control-allow-origin-regex" type="text" placeholder="" value="" data-field="access-control-allow-origin-regex" /><br />
+				<p class="help-block">
+					[[admin/settings/advanced:headers.acao-regex-help]]
+				</p>
+			</div>
 			<div class="form-group">
 				<label for="access-control-allow-credentials">[[admin/settings/advanced:headers.acac]]</label>
 				<input class="form-control" id="access-control-allow-credentials" type="text" placeholder="" value="" data-field="access-control-allow-credentials" /><br />
--- a/test/meta.js
+++ b/test/meta.js
@@ -356,5 +356,65 @@ describe('meta', function () {
 				done(err);
 			});
 		});
+
+		it('should set proper Access-Control-Allow-Origin header', function (done) {
+			var jar = request.jar();
+			var oldValue = meta.config['access-control-allow-origin-regex'];
+			meta.config['access-control-allow-origin-regex'] = 'match\\.this\\..+\\.domain.com, mydomain\\.com';
+			request.get(nconf.get('url') + '/api/search?term=bug', {
+				form: {
+				},
+				json: true,
+				jar: jar,
+				headers: {
+					origin: 'match.this.anything123.domain.com',
+				},
+			}, function (err, response, body) {
+				assert.ifError(err);
+				assert.equal(response.headers['access-control-allow-origin'], 'match.this.anything123.domain.com');
+				meta.config['access-control-allow-origin-regex'] = oldValue;
+				done(err);
+			});
+		});
+
+		it('Access-Control-Allow-Origin header should be empty if origin does not match', function (done) {
+			var jar = request.jar();
+			var oldValue = meta.config['access-control-allow-origin-regex'];
+			meta.config['access-control-allow-origin-regex'] = 'match\\.this\\..+\\.domain.com, mydomain\\.com';
+			request.get(nconf.get('url') + '/api/search?term=bug', {
+				form: {
+				},
+				json: true,
+				jar: jar,
+				headers: {
+					origin: 'notallowed.com',
+				},
+			}, function (err, response, body) {
+				assert.ifError(err);
+				assert.equal(response.headers['access-control-allow-origin'], undefined);
+				meta.config['access-control-allow-origin-regex'] = oldValue;
+				done(err);
+			});
+		});
+
+		it('should not error with invalid regexp', function (done) {
+			var jar = request.jar();
+			var oldValue = meta.config['access-control-allow-origin-regex'];
+			meta.config['access-control-allow-origin-regex'] = '[match\\.this\\..+\\.domain.com, mydomain\\.com';
+			request.get(nconf.get('url') + '/api/search?term=bug', {
+				form: {
+				},
+				json: true,
+				jar: jar,
+				headers: {
+					origin: 'mydomain.com',
+				},
+			}, function (err, response, body) {
+				assert.ifError(err);
+				assert.equal(response.headers['access-control-allow-origin'], 'mydomain.com');
+				meta.config['access-control-allow-origin-regex'] = oldValue;
+				done(err);
+			});
+		});
 	});
 });