# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1648475604 -3600
# Node ID b33558969b3eb1a08f7b9dd5f3007840c82a9f44
# Parent  17d87fb2312ac664bc748973363c3e804dcedf9e
mod_http (and dependent modules): Make CORS opt-in by default (fixes #1731)

The same-origin policy enforced by browsers is a security measure that should
only be turned off when it is safe to do so. It is safe to do so in Prosody's
default modules, but people may load third-party modules that are unsafe.

Therefore we have flipped the default, so that modules must explicitly opt in
to having CORS headers added on their requests.

diff -r 17d87fb2312a -r b33558969b3e plugins/mod_bosh.lua
--- a/plugins/mod_bosh.lua	Mon Mar 28 14:40:21 2022 +0100
+++ b/plugins/mod_bosh.lua	Mon Mar 28 14:53:24 2022 +0100
@@ -547,6 +547,9 @@
 	module:depends("http");
 	module:provides("http", {
 		default_path = "/http-bind";
+		cors = {
+			enabled = true;
+		};
 		route = {
 			["GET"] = GET_response;
 			["GET /"] = GET_response;
diff -r 17d87fb2312a -r b33558969b3e plugins/mod_http.lua
--- a/plugins/mod_http.lua	Mon Mar 28 14:40:21 2022 +0100
+++ b/plugins/mod_http.lua	Mon Mar 28 14:53:24 2022 +0100
@@ -163,7 +163,7 @@
 
 		local cors = cors_overrides[app_name] or event.item.cors;
 		if cors then
-			if cors.enabled ~= false then
+			if cors.enabled == true then
 				if cors.credentials ~= nil then
 					app_credentials = cors.credentials;
 				end
diff -r 17d87fb2312a -r b33558969b3e plugins/mod_http_file_share.lua
--- a/plugins/mod_http_file_share.lua	Mon Mar 28 14:40:21 2022 +0100
+++ b/plugins/mod_http_file_share.lua	Mon Mar 28 14:53:24 2022 +0100
@@ -578,6 +578,7 @@
 module:provides("http", {
 		streaming_uploads = true;
 		cors = {
+			enabled = true;
 			credentials = true;
 			headers = {
 				Authorization = true;
diff -r 17d87fb2312a -r b33558969b3e plugins/mod_websocket.lua
--- a/plugins/mod_websocket.lua	Mon Mar 28 14:40:21 2022 +0100
+++ b/plugins/mod_websocket.lua	Mon Mar 28 14:53:24 2022 +0100
@@ -355,6 +355,9 @@
 	module:provides("http", {
 		name = "websocket";
 		default_path = "xmpp-websocket";
+		cors = {
+			enabled = true;
+		};
 		route = {
 			["GET"] = handle_request;
 			["GET /"] = handle_request;