prosody
b33558969b3e
plugins/mod_http.lua
Software / code / prosody
Comparison
plugins/mod_http.lua @ 12444:b33558969b3e 0.12
mod_http (and dependent modules): Make CORS opt-in by default (fixes #1731)
The same-origin policy enforced by browsers is a security measure that should
only be turned off when it is safe to do so. It is safe to do so in Prosody's
default modules, but people may load third-party modules that are unsafe.
Therefore we have flipped the default, so that modules must explicitly opt in
to having CORS headers added on their requests.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 28 Mar 2022 14:53:24 +0100 |
| parent | 12443:17d87fb2312a |
| child | 12790:24b55f0e2db9 |
comparison
equal
deleted
inserted
replaced
| 12443:17d87fb2312a | 12444:b33558969b3e |
|---|---|
| 161 return ""; | 161 return ""; |
| 162 end | 162 end |
| 163 | 163 |
| 164 local cors = cors_overrides[app_name] or event.item.cors; | 164 local cors = cors_overrides[app_name] or event.item.cors; |
| 165 if cors then | 165 if cors then |
| 166 if cors.enabled ~= false then | 166 if cors.enabled == true then |
| 167 if cors.credentials ~= nil then | 167 if cors.credentials ~= nil then |
| 168 app_credentials = cors.credentials; | 168 app_credentials = cors.credentials; |
| 169 end | 169 end |
| 170 if cors.headers then | 170 if cors.headers then |
| 171 for header, enable in pairs(cors.headers) do | 171 for header, enable in pairs(cors.headers) do |
