diff --git a/public/language/en-GB/admin/settings/advanced.json b/public/language/en-GB/admin/settings/advanced.json index b023528d04..05a1929cf0 100644 --- a/public/language/en-GB/admin/settings/advanced.json +++ b/public/language/en-GB/admin/settings/advanced.json @@ -6,7 +6,7 @@ "headers.allow-from": "Set ALLOW-FROM to Place NodeBB in an iFrame", "headers.powered-by": "Customise the \"Powered By\" header sent by NodeBB", "headers.acao": "Access-Control-Allow-Origin", - "headers.acao-help": "To deny access to all sites, leave empty or set to null", + "headers.acao-help": "To deny access to all sites, leave empty", "headers.acam": "Access-Control-Allow-Methods", "headers.acah": "Access-Control-Allow-Headers", "traffic-management": "Traffic Management", diff --git a/src/middleware/headers.js b/src/middleware/headers.js index ae63b19124..190de28b0e 100644 --- a/src/middleware/headers.js +++ b/src/middleware/headers.js @@ -7,11 +7,14 @@ module.exports = function (middleware) { var headers = { 'X-Powered-By': encodeURI(meta.config['powered-by'] || 'NodeBB'), 'X-Frame-Options': meta.config['allow-from-uri'] ? 'ALLOW-FROM ' + encodeURI(meta.config['allow-from-uri']) : 'SAMEORIGIN', - 'Access-Control-Allow-Origin': encodeURI(meta.config['access-control-allow-origin'] || 'null'), 'Access-Control-Allow-Methods': encodeURI(meta.config['access-control-allow-methods'] || ''), 'Access-Control-Allow-Headers': encodeURI(meta.config['access-control-allow-headers'] || ''), }; + if (meta.config['access-control-allow-origin']) { + headers['Access-Control-Allow-Origin'] = encodeURI(meta.config['access-control-allow-origin']); + } + for (var key in headers) { if (headers.hasOwnProperty(key) && headers[key]) { res.setHeader(key, headers[key]); diff --git a/src/views/admin/settings/advanced.tpl b/src/views/admin/settings/advanced.tpl index 77a5a6d2cc..1454389198 100644 --- a/src/views/admin/settings/advanced.tpl +++ b/src/views/admin/settings/advanced.tpl @@ -35,7 +35,7 @@
-
+

[[admin/settings/advanced:headers.acao-help]]