discourse/config/initializers/08-rack-cors.rb
Aaron Boushley 60aa52b753 Enable CORS requests to pass necessary headers.
To fully enable session deletion over CORS we need support for passing the
`X-Requested-With` header so that these requests can pass the `check-xhr` filter.

I also allowed the `X-CSRF-Token` to enable the alternative CSRF passing syntax.
2015-05-14 09:46:41 -07:00

41 lines
1.2 KiB
Ruby

if GlobalSetting.enable_cors
class Discourse::Cors
def initialize(app, options = nil)
@app = app
if GlobalSetting.enable_cors && GlobalSetting.cors_origin.present?
@global_origins = GlobalSetting.cors_origin.split(',').map(&:strip)
end
end
def call(env)
if env['REQUEST_METHOD'] == 'OPTIONS' and env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
return [200, apply_headers(env), []]
end
status, headers, body = @app.call(env)
[status, apply_headers(env, headers), body]
end
def apply_headers(env, headers=nil)
headers ||= {}
origin = nil
cors_origins = @global_origins || []
cors_origins += SiteSetting.cors_origins.split('|') if SiteSetting.cors_origins
if cors_origins
if origin = env['HTTP_ORIGIN']
origin = nil unless cors_origins.include?(origin)
end
headers['Access-Control-Allow-Origin'] = origin || cors_origins[0]
headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-CSRF-Token'
headers['Access-Control-Allow-Credentials'] = 'true'
end
headers
end
end
Rails.configuration.middleware.use Discourse::Cors
end