# HG changeset patch # User Matthew Wild # Date 1648475604 -3600 # Node ID b33558969b3eb1a08f7b9dd5f3007840c82a9f44 # Parent 17d87fb2312ac664bc748973363c3e804dcedf9e mod_http (and dependent modules): Make CORS opt-in by default (fixes #1731) The same-origin policy enforced by browsers is a security measure that should only be turned off when it is safe to do so. It is safe to do so in Prosody's default modules, but people may load third-party modules that are unsafe. Therefore we have flipped the default, so that modules must explicitly opt in to having CORS headers added on their requests. diff -r 17d87fb2312a -r b33558969b3e plugins/mod_bosh.lua --- a/plugins/mod_bosh.lua Mon Mar 28 14:40:21 2022 +0100 +++ b/plugins/mod_bosh.lua Mon Mar 28 14:53:24 2022 +0100 @@ -547,6 +547,9 @@ module:depends("http"); module:provides("http", { default_path = "/http-bind"; + cors = { + enabled = true; + }; route = { ["GET"] = GET_response; ["GET /"] = GET_response; diff -r 17d87fb2312a -r b33558969b3e plugins/mod_http.lua --- a/plugins/mod_http.lua Mon Mar 28 14:40:21 2022 +0100 +++ b/plugins/mod_http.lua Mon Mar 28 14:53:24 2022 +0100 @@ -163,7 +163,7 @@ local cors = cors_overrides[app_name] or event.item.cors; if cors then - if cors.enabled ~= false then + if cors.enabled == true then if cors.credentials ~= nil then app_credentials = cors.credentials; end diff -r 17d87fb2312a -r b33558969b3e plugins/mod_http_file_share.lua --- a/plugins/mod_http_file_share.lua Mon Mar 28 14:40:21 2022 +0100 +++ b/plugins/mod_http_file_share.lua Mon Mar 28 14:53:24 2022 +0100 @@ -578,6 +578,7 @@ module:provides("http", { streaming_uploads = true; cors = { + enabled = true; credentials = true; headers = { Authorization = true; diff -r 17d87fb2312a -r b33558969b3e plugins/mod_websocket.lua --- a/plugins/mod_websocket.lua Mon Mar 28 14:40:21 2022 +0100 +++ b/plugins/mod_websocket.lua Mon Mar 28 14:53:24 2022 +0100 @@ -355,6 +355,9 @@ module:provides("http", { name = "websocket"; default_path = "xmpp-websocket"; + cors = { + enabled = true; + }; route = { ["GET"] = handle_request; ["GET /"] = handle_request;