Skip to content

Commit

Permalink
Merge pull request #269 from aleksei-burlakov/access-control-allow-or…
Browse files Browse the repository at this point in the history
…igins

Parametrize CORS Access-Control-Allow-Origin header
  • Loading branch information
aleksei-burlakov authored Dec 8, 2023
2 parents 97c130d + 1aadfc6 commit 5fb7d91
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 2 deletions.
4 changes: 2 additions & 2 deletions hawk/app/controllers/application_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ def set_current_title
def cors_set_access_control_headers
response.headers['Content-Security-Policy'] = "frame-ancestors 'self'"
if request.headers['Origin']
response.headers['Access-Control-Allow-Origin'] = request.headers["Origin"]
response.headers['Access-Control-Allow-Origin'] = ENV["HAWK_ACCESS_CONTROL_ALLOW_ORIGIN"] || request.headers["Origin"]
response.headers['Access-Control-Allow-Credentials'] = 'true'
response.headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
response.headers['Access-Control-Allow-Headers'] = 'Origin, Content-Type, Accept, Authorization, X-CSRF-Token, Token'
Expand All @@ -123,7 +123,7 @@ def cors_set_access_control_headers

def cors_preflight_check
if request.method == 'OPTIONS' && request.headers['Origin']
response.headers["Access-Control-Allow-Origin"] = request.headers["Origin"]
response.headers['Access-Control-Allow-Origin'] = ENV["HAWK_ACCESS_CONTROL_ALLOW_ORIGIN"] || request.headers["Origin"]
response.headers['Access-Control-Allow-Credentials'] = 'true'
response.headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
response.headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-Prototype-Version, X-CSRF-Token, Token'
Expand Down
10 changes: 10 additions & 0 deletions scripts/sysconfig.hawk
Original file line number Diff line number Diff line change
Expand Up @@ -57,3 +57,13 @@ HAWK_KEY="/etc/hawk/hawk.key"
# Configures an SSL certificate that the Hawk web server presents.
HAWK_CERT="/etc/hawk/hawk.pem"

## Path: Cluster/Hawk
## Description: CORS Access-Control-Allow-Origin
## Type: string
## Default: request.headers["Origin"], i.e. the one who sends request
## ServiceRestart: hawk
# This value will is used for Access-Control-Allow-Origin
# when generation response header when loging into hawk.
# When the value is not defined the request.headers["Origin"] is used.
# Here we explicitely forbid origins.
HAWK_ACCESS_CONTROL_ALLOW_ORIGIN=""

0 comments on commit 5fb7d91

Please sign in to comment.