prosody
24b55f0e2db9
plugins/mod_http.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

plugins/mod_http.lua @ 12790:24b55f0e2db9 0.12

mod_http: Allow disabling CORS in the http_cors_override option and by default Fixes #1779. Due to an oversight in the logic, if the user set 'enabled' to false in an override, it would disable the item's requested CORS settings, but still apply Prosody's default CORS policy. This change ensures that 'enabled = false' will now disable CORS entirely for the requested item. Due to the new structure of the code, it was necessary to have a flag to say whether CORS is to be applied at all. Rather than hard-coding 'true' here, I chose to add a new option: 'http_default_cors_enabled'. This is a boolean that allows the operator to disable Prosody's default CORS policy entirely (the one that is used when a module or config does not override it). This makes it easier to disable CORS and then selectively enable it only on services you want it on.
author Matthew Wild <mwild1@gmail.com>
date Mon, 31 Oct 2022 14:32:02 +0000
parent 12444:b33558969b3e
child 12923:419e55abd285
comparison
equal deleted inserted replaced
12788:3835c397b129 12790:24b55f0e2db9
35 local opt_methods = module:get_option_set("access_control_allow_methods", { "GET", "OPTIONS" }); 35 local opt_methods = module:get_option_set("access_control_allow_methods", { "GET", "OPTIONS" });
36 local opt_headers = module:get_option_set("access_control_allow_headers", { "Content-Type" }); 36 local opt_headers = module:get_option_set("access_control_allow_headers", { "Content-Type" });
37 local opt_origins = module:get_option_set("access_control_allow_origins"); 37 local opt_origins = module:get_option_set("access_control_allow_origins");
38 local opt_credentials = module:get_option_boolean("access_control_allow_credentials", false); 38 local opt_credentials = module:get_option_boolean("access_control_allow_credentials", false);
39 local opt_max_age = module:get_option_number("access_control_max_age", 2 * 60 * 60); 39 local opt_max_age = module:get_option_number("access_control_max_age", 2 * 60 * 60);
40 local opt_default_cors = module:get_option_boolean("http_default_cors_enabled", true);
40 41
41 local function get_http_event(host, app_path, key) 42 local function get_http_event(host, app_path, key)
42 local method, path = key:match("^(%S+)%s+(.+)$"); 43 local method, path = key:match("^(%S+)%s+(.+)$");
43 if not method then -- No path specified, default to "" (base path) 44 if not method then -- No path specified, default to "" (base path)
44 method, path = key, ""; 45 method, path = key, "";
181 app_origins = nil; 182 app_origins = nil;
182 else 183 else
183 app_origins = set.new(cors.origins)._items; 184 app_origins = set.new(cors.origins)._items;
184 end 185 end
185 end 186 end
187 elseif cors.enabled == false then
188 cors = nil;
186 end 189 end
190 else
191 cors = opt_default_cors;
187 end 192 end
188 193
189 local streaming = event.item.streaming_uploads; 194 local streaming = event.item.streaming_uploads;
190 195
191 if not event.item.route then 196 if not event.item.route then
226 end 231 end
227 end 232 end
228 if not app_handlers[event_name] then 233 if not app_handlers[event_name] then
229 app_handlers[event_name] = { 234 app_handlers[event_name] = {
230 main = handler; 235 main = handler;
231 cors = cors_handler; 236 cors = cors and cors_handler;
232 options = options_handler; 237 options = cors and options_handler;
233 }; 238 };
234 module:hook_object_event(server, event_name, handler); 239 module:hook_object_event(server, event_name, handler);
235 module:hook_object_event(server, event_name, cors_handler, 1); 240 if cors then
236 module:hook_object_event(server, options_event_name, options_handler, -1); 241 module:hook_object_event(server, event_name, cors_handler, 1);
242 module:hook_object_event(server, options_event_name, options_handler, -1);
243 end
237 else 244 else
238 module:log("warn", "App %s added handler twice for '%s', ignoring", app_name, event_name); 245 module:log("warn", "App %s added handler twice for '%s', ignoring", app_name, event_name);
239 end 246 end
240 else 247 else
241 module:log("error", "Invalid route in %s, %q. See https://prosody.im/doc/developers/http#routes", app_name, key); 248 module:log("error", "Invalid route in %s, %q. See https://prosody.im/doc/developers/http#routes", app_name, key);