prosody
b33558969b3e
plugins/mod_bosh.lua
Software / code / prosody
Comparison
plugins/mod_bosh.lua @ 12444:b33558969b3e 0.12
mod_http (and dependent modules): Make CORS opt-in by default (fixes #1731)
The same-origin policy enforced by browsers is a security measure that should
only be turned off when it is safe to do so. It is safe to do so in Prosody's
default modules, but people may load third-party modules that are unsafe.
Therefore we have flipped the default, so that modules must explicitly opt in
to having CORS headers added on their requests.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 28 Mar 2022 14:53:24 +0100 |
| parent | 12262:50525021c2c7 |
| child | 12977:74b9e05af71e |
comparison
equal
deleted
inserted
replaced
| 12443:17d87fb2312a | 12444:b33558969b3e |
|---|---|
| 545 | 545 |
| 546 function module.add_host(module) | 546 function module.add_host(module) |
| 547 module:depends("http"); | 547 module:depends("http"); |
| 548 module:provides("http", { | 548 module:provides("http", { |
| 549 default_path = "/http-bind"; | 549 default_path = "/http-bind"; |
| 550 cors = { | |
| 551 enabled = true; | |
| 552 }; | |
| 550 route = { | 553 route = { |
| 551 ["GET"] = GET_response; | 554 ["GET"] = GET_response; |
| 552 ["GET /"] = GET_response; | 555 ["GET /"] = GET_response; |
| 553 ["POST"] = handle_POST; | 556 ["POST"] = handle_POST; |
| 554 ["POST /"] = handle_POST; | 557 ["POST /"] = handle_POST; |
