prosody
b33558969b3e
plugins/mod_http_file_share.lua
Software / code / prosody
Comparison
plugins/mod_http_file_share.lua @ 12444:b33558969b3e 0.12
mod_http (and dependent modules): Make CORS opt-in by default (fixes #1731)
The same-origin policy enforced by browsers is a security measure that should
only be turned off when it is safe to do so. It is safe to do so in Prosody's
default modules, but people may load third-party modules that are unsafe.
Therefore we have flipped the default, so that modules must explicitly opt in
to having CORS headers added on their requests.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 28 Mar 2022 14:53:24 +0100 |
| parent | 12227:88958c0ecab3 |
| child | 12708:9953ac7b0c15 |
comparison
equal
deleted
inserted
replaced
| 12443:17d87fb2312a | 12444:b33558969b3e |
|---|---|
| 576 | 576 |
| 577 if not external_base_url then | 577 if not external_base_url then |
| 578 module:provides("http", { | 578 module:provides("http", { |
| 579 streaming_uploads = true; | 579 streaming_uploads = true; |
| 580 cors = { | 580 cors = { |
| 581 enabled = true; | |
| 581 credentials = true; | 582 credentials = true; |
| 582 headers = { | 583 headers = { |
| 583 Authorization = true; | 584 Authorization = true; |
| 584 }; | 585 }; |
| 585 }; | 586 }; |
