mirror of
https://github.com/NodeBB/NodeBB.git
synced 2025-12-24 01:10:31 +01:00
allow multiple origins for access-control-allow-origin header
add access-control-allow-credentials header to acp
This commit is contained in:
Barış Soner Uşaklı
@@ -7,6 +7,7 @@
|
|||||||
"headers.powered-by": "Customise the \"Powered By\" header sent by NodeBB",
|
"headers.powered-by": "Customise the \"Powered By\" header sent by NodeBB",
|
||||||
"headers.acao": "Access-Control-Allow-Origin",
|
"headers.acao": "Access-Control-Allow-Origin",
|
||||||
"headers.acao-help": "To deny access to all sites, leave empty",
|
"headers.acao-help": "To deny access to all sites, leave empty",
|
||||||
|
"headers.acac": "Access-Control-Allow-Credentials",
|
||||||
"headers.acam": "Access-Control-Allow-Methods",
|
"headers.acam": "Access-Control-Allow-Methods",
|
||||||
"headers.acah": "Access-Control-Allow-Headers",
|
"headers.acah": "Access-Control-Allow-Headers",
|
||||||
"traffic-management": "Traffic Management",
|
"traffic-management": "Traffic Management",
|
||||||
|
|||||||
@@ -14,7 +14,18 @@ module.exports = function (middleware) {
|
|||||||
};
|
};
|
||||||
|
|
||||||
if (meta.config['access-control-allow-origin']) {
|
if (meta.config['access-control-allow-origin']) {
|
||||||
headers['Access-Control-Allow-Origin'] = encodeURI(meta.config['access-control-allow-origin']);
|
var origins = meta.config['access-control-allow-origin'].split(',');
|
||||||
|
origins = origins.map(function (origin) {
|
||||||
|
return origin && origin.trim();
|
||||||
|
});
|
||||||
|
|
||||||
|
if (origins.includes(req.get('origin'))) {
|
||||||
|
headers['Access-Control-Allow-Origin'] = encodeURI(req.get('origin'));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (meta.config['access-control-allow-credentials']) {
|
||||||
|
headers['Access-Control-Allow-Credentials'] = meta.config['access-control-allow-credentials'];
|
||||||
}
|
}
|
||||||
|
|
||||||
if (process.env.NODE_ENV === 'development') {
|
if (process.env.NODE_ENV === 'development') {
|
||||||
|
|||||||
@@ -40,6 +40,10 @@
|
|||||||
[[admin/settings/advanced:headers.acao-help]]
|
[[admin/settings/advanced:headers.acao-help]]
|
||||||
</p>
|
</p>
|
||||||
</div>
|
</div>
|
||||||
|
<div class="form-group">
|
||||||
|
<label for="access-control-allow-credentials">[[admin/settings/advanced:headers.acac]]</label>
|
||||||
|
<input class="form-control" id="access-control-allow-credentials" type="text" placeholder="" value="" data-field="access-control-allow-credentials" /><br />
|
||||||
|
</div>
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
<label for="access-control-allow-methods">[[admin/settings/advanced:headers.acam]]</label>
|
<label for="access-control-allow-methods">[[admin/settings/advanced:headers.acam]]</label>
|
||||||
<input class="form-control" id="access-control-allow-methods" type="text" placeholder="" data-field="access-control-allow-methods" /><br />
|
<input class="form-control" id="access-control-allow-methods" type="text" placeholder="" data-field="access-control-allow-methods" /><br />
|
||||||
|
|||||||
57
test/meta.js
57
test/meta.js
@@ -2,6 +2,8 @@
|
|||||||
|
|
||||||
var assert = require('assert');
|
var assert = require('assert');
|
||||||
var async = require('async');
|
var async = require('async');
|
||||||
|
var request = require('request');
|
||||||
|
var nconf = require('nconf');
|
||||||
|
|
||||||
var db = require('./mocks/databasemock');
|
var db = require('./mocks/databasemock');
|
||||||
var meta = require('../src/meta');
|
var meta = require('../src/meta');
|
||||||
@@ -300,4 +302,59 @@ describe('meta', function () {
|
|||||||
process.execArgv = oldArgv;
|
process.execArgv = oldArgv;
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
describe('Access-Control-Allow-Origin', function () {
|
||||||
|
it('Access-Control-Allow-Origin header should be empty', function (done) {
|
||||||
|
var jar = request.jar();
|
||||||
|
request.get(nconf.get('url') + '/api/search?term=bug', {
|
||||||
|
form: {},
|
||||||
|
json: true,
|
||||||
|
jar: jar,
|
||||||
|
}, function (err, response, body) {
|
||||||
|
assert.ifError(err);
|
||||||
|
assert.equal(response.headers['access-control-allow-origin'], undefined);
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
it('should set proper Access-Control-Allow-Origin header', function (done) {
|
||||||
|
var jar = request.jar();
|
||||||
|
var oldValue = meta.config['access-control-allow-origin'];
|
||||||
|
meta.config['access-control-allow-origin'] = 'test.com, mydomain.com';
|
||||||
|
request.get(nconf.get('url') + '/api/search?term=bug', {
|
||||||
|
form: {
|
||||||
|
},
|
||||||
|
json: true,
|
||||||
|
jar: jar,
|
||||||
|
headers: {
|
||||||
|
origin: 'mydomain.com',
|
||||||
|
},
|
||||||
|
}, function (err, response, body) {
|
||||||
|
assert.ifError(err);
|
||||||
|
assert.equal(response.headers['access-control-allow-origin'], 'mydomain.com');
|
||||||
|
meta.config['access-control-allow-origin'] = oldValue;
|
||||||
|
done(err);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
it('Access-Control-Allow-Origin header should be empty if origin does not match', function (done) {
|
||||||
|
var jar = request.jar();
|
||||||
|
var oldValue = meta.config['access-control-allow-origin'];
|
||||||
|
meta.config['access-control-allow-origin'] = 'test.com, mydomain.com';
|
||||||
|
request.get(nconf.get('url') + '/api/search?term=bug', {
|
||||||
|
form: {
|
||||||
|
},
|
||||||
|
json: true,
|
||||||
|
jar: jar,
|
||||||
|
headers: {
|
||||||
|
origin: 'notallowed.com',
|
||||||
|
},
|
||||||
|
}, function (err, response, body) {
|
||||||
|
assert.ifError(err);
|
||||||
|
assert.equal(response.headers['access-control-allow-origin'], undefined);
|
||||||
|
meta.config['access-control-allow-origin'] = oldValue;
|
||||||
|
done(err);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|||||||
Reference in New Issue
Block a user