From e121a5a798c944fb1cb02a6b869c89eb4c7dd2e8 Mon Sep 17 00:00:00 2001
From: psychobunny <rodrigues.andrew@gmail.com>
Date: Thu, 6 Apr 2017 17:56:54 -0400
Subject: [PATCH] closes #5574

---
 public/language/en-GB/admin/settings/advanced.json | 2 +-
 src/middleware/headers.js                          | 5 ++++-
 src/views/admin/settings/advanced.tpl              | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/public/language/en-GB/admin/settings/advanced.json b/public/language/en-GB/admin/settings/advanced.json
index b023528d04..05a1929cf0 100644
--- a/public/language/en-GB/admin/settings/advanced.json
+++ b/public/language/en-GB/admin/settings/advanced.json
@@ -6,7 +6,7 @@
 	"headers.allow-from": "Set ALLOW-FROM to Place NodeBB in an iFrame",
 	"headers.powered-by": "Customise the \"Powered By\" header sent by NodeBB",
 	"headers.acao": "Access-Control-Allow-Origin",
-	"headers.acao-help": "To deny access to all sites, leave empty or set to <code>null</code>",
+	"headers.acao-help": "To deny access to all sites, leave empty",
 	"headers.acam": "Access-Control-Allow-Methods",
 	"headers.acah": "Access-Control-Allow-Headers",
 	"traffic-management": "Traffic Management",
diff --git a/src/middleware/headers.js b/src/middleware/headers.js
index ae63b19124..190de28b0e 100644
--- a/src/middleware/headers.js
+++ b/src/middleware/headers.js
@@ -7,11 +7,14 @@ module.exports = function (middleware) {
 		var headers = {
 			'X-Powered-By': encodeURI(meta.config['powered-by'] || 'NodeBB'),
 			'X-Frame-Options': meta.config['allow-from-uri'] ? 'ALLOW-FROM ' + encodeURI(meta.config['allow-from-uri']) : 'SAMEORIGIN',
-			'Access-Control-Allow-Origin': encodeURI(meta.config['access-control-allow-origin'] || 'null'),
 			'Access-Control-Allow-Methods': encodeURI(meta.config['access-control-allow-methods'] || ''),
 			'Access-Control-Allow-Headers': encodeURI(meta.config['access-control-allow-headers'] || ''),
 		};
 
+		if (meta.config['access-control-allow-origin']) {
+			headers['Access-Control-Allow-Origin'] = encodeURI(meta.config['access-control-allow-origin']);
+		}
+
 		for (var key in headers) {
 			if (headers.hasOwnProperty(key) && headers[key]) {
 				res.setHeader(key, headers[key]);
diff --git a/src/views/admin/settings/advanced.tpl b/src/views/admin/settings/advanced.tpl
index 77a5a6d2cc..1454389198 100644
--- a/src/views/admin/settings/advanced.tpl
+++ b/src/views/admin/settings/advanced.tpl
@@ -35,7 +35,7 @@
 			</div>
 			<div class="form-group">
 				<label for="access-control-allow-origin">[[admin/settings/advanced:headers.acao]]</label>
-				<input class="form-control" id="access-control-allow-origin" type="text" placeholder="null" value="null" data-field="access-control-allow-origin" /><br />
+				<input class="form-control" id="access-control-allow-origin" type="text" placeholder="" value="" data-field="access-control-allow-origin" /><br />
 				<p class="help-block">
 					[[admin/settings/advanced:headers.acao-help]]
 				</p>