allow multiple origins for access-control-allow-origin header

add access-control-allow-credentials header to acp
2025-12-24 01:10:31 +01:00 · 2018-03-20 12:24:55 -04:00
parent ae46ec0cae
commit ae0f1847ae
4 changed files with 74 additions and 1 deletions
--- a/public/language/en-GB/admin/settings/advanced.json
+++ b/public/language/en-GB/admin/settings/advanced.json
@@ -7,6 +7,7 @@
 	"headers.powered-by": "Customise the \"Powered By\" header sent by NodeBB",
 	"headers.acao": "Access-Control-Allow-Origin",
 	"headers.acao-help": "To deny access to all sites, leave empty",
+	"headers.acac": "Access-Control-Allow-Credentials",
 	"headers.acam": "Access-Control-Allow-Methods",
 	"headers.acah": "Access-Control-Allow-Headers",
 	"traffic-management": "Traffic Management",
--- a/src/middleware/headers.js
+++ b/src/middleware/headers.js
@@ -14,7 +14,18 @@ module.exports = function (middleware) {
 		};

 		if (meta.config['access-control-allow-origin']) {
-			headers['Access-Control-Allow-Origin'] = encodeURI(meta.config['access-control-allow-origin']);
+			var origins = meta.config['access-control-allow-origin'].split(',');
+			origins = origins.map(function (origin) {
+				return origin && origin.trim();
+			});
+
+			if (origins.includes(req.get('origin'))) {
+				headers['Access-Control-Allow-Origin'] = encodeURI(req.get('origin'));
+			}
+		}
+
+		if (meta.config['access-control-allow-credentials']) {
+			headers['Access-Control-Allow-Credentials'] = meta.config['access-control-allow-credentials'];
 		}

 		if (process.env.NODE_ENV === 'development') {
--- a/src/views/admin/settings/advanced.tpl
+++ b/src/views/admin/settings/advanced.tpl
@@ -40,6 +40,10 @@
 					[[admin/settings/advanced:headers.acao-help]]
 				</p>
 			</div>
+			<div class="form-group">
+				<label for="access-control-allow-credentials">[[admin/settings/advanced:headers.acac]]</label>
+				<input class="form-control" id="access-control-allow-credentials" type="text" placeholder="" value="" data-field="access-control-allow-credentials" /><br />
+			</div>
 			<div class="form-group">
 				<label for="access-control-allow-methods">[[admin/settings/advanced:headers.acam]]</label>
 				<input class="form-control" id="access-control-allow-methods" type="text" placeholder="" data-field="access-control-allow-methods" /><br />
--- a/test/meta.js
+++ b/test/meta.js
@@ -2,6 +2,8 @@

 var assert = require('assert');
 var async = require('async');
+var request = require('request');
+var nconf = require('nconf');

 var db = require('./mocks/databasemock');
 var meta = require('../src/meta');
@@ -300,4 +302,59 @@ describe('meta', function () {
 			process.execArgv = oldArgv;
 		});
 	});
+
+	describe('Access-Control-Allow-Origin', function () {
+		it('Access-Control-Allow-Origin header should be empty', function (done) {
+			var jar = request.jar();
+			request.get(nconf.get('url') + '/api/search?term=bug', {
+				form: {},
+				json: true,
+				jar: jar,
+			}, function (err, response, body) {
+				assert.ifError(err);
+				assert.equal(response.headers['access-control-allow-origin'], undefined);
+				done();
+			});
+		});
+
+		it('should set proper Access-Control-Allow-Origin header', function (done) {
+			var jar = request.jar();
+			var oldValue = meta.config['access-control-allow-origin'];
+			meta.config['access-control-allow-origin'] = 'test.com, mydomain.com';
+			request.get(nconf.get('url') + '/api/search?term=bug', {
+				form: {
+				},
+				json: true,
+				jar: jar,
+				headers: {
+					origin: 'mydomain.com',
+				},
+			}, function (err, response, body) {
+				assert.ifError(err);
+				assert.equal(response.headers['access-control-allow-origin'], 'mydomain.com');
+				meta.config['access-control-allow-origin'] = oldValue;
+				done(err);
+			});
+		});
+
+		it('Access-Control-Allow-Origin header should be empty if origin does not match', function (done) {
+			var jar = request.jar();
+			var oldValue = meta.config['access-control-allow-origin'];
+			meta.config['access-control-allow-origin'] = 'test.com, mydomain.com';
+			request.get(nconf.get('url') + '/api/search?term=bug', {
+				form: {
+				},
+				json: true,
+				jar: jar,
+				headers: {
+					origin: 'notallowed.com',
+				},
+			}, function (err, response, body) {
+				assert.ifError(err);
+				assert.equal(response.headers['access-control-allow-origin'], undefined);
+				meta.config['access-control-allow-origin'] = oldValue;
+				done(err);
+			});
+		});
+	});
 });