new: new api.rest.alloworigin parameter to customize the Access-Control-Allow-Origin header of the server.

2025-07-15 01:23:42 -07:00 · 2018-09-29 02:10:46 +02:00 · 2018-09-29 02:10:46 +02:00 · 8f7f6545b1
commit 8f7f6545b1
parent 2b117e14d6
2 changed files with 18 additions and 10 deletions
--- a/modules/api_rest.go
+++ b/modules/api_rest.go
@ -22,6 +22,7 @@ type RestAPI struct {
 	password     string
 	certFile     string
 	keyFile      string
+	allowOrigin  string
 	useWebsocket bool
 	upgrader     websocket.Upgrader
 	quit         chan bool
@ -33,6 +34,7 @@ func NewRestAPI(s *session.Session) *RestAPI {
 		server:        &http.Server{},
 		quit:          make(chan bool),
 		useWebsocket:  false,
+		allowOrigin:   "*",
 		upgrader: websocket.Upgrader{
 			ReadBufferSize:  1024,
 			WriteBufferSize: 1024,
@ -48,6 +50,10 @@ func NewRestAPI(s *session.Session) *RestAPI {
 		"8081",
 		"Port to bind the API REST server to."))

+	api.AddParam(session.NewIntParameter("api.rest.alloworigin",
+		api.allowOrigin,
+		"Value of the Access-Control-Allow-Origin header of the API server."))
+
 	api.AddParam(session.NewStringParameter("api.rest.username",
 		"",
 		"",
@ -124,6 +130,8 @@ func (api *RestAPI) Configure() error {
 		return err
 	} else if err, port = api.IntParam("api.rest.port"); err != nil {
 		return err
+	} else if err, api.allowOrigin = api.StringParam("api.rest.alloworigin"); err != nil {
+		return err
 	} else if err, api.certFile = api.StringParam("api.rest.certificate"); err != nil {
 		return err
 	} else if api.certFile, err = core.ExpandPath(api.certFile); err != nil {
--- a/modules/api_rest_controller.go
+++ b/modules/api_rest_controller.go
@ -30,14 +30,6 @@ func setAuthFailed(w http.ResponseWriter, r *http.Request) {
 	w.Write([]byte("Unauthorized"))
 }

-func setSecurityHeaders(w http.ResponseWriter) {
-	w.Header().Add("X-Frame-Options", "DENY")
-	w.Header().Add("X-Content-Type-Options", "nosniff")
-	w.Header().Add("X-XSS-Protection", "1; mode=block")
-	w.Header().Add("Referrer-Policy", "same-origin")
-	w.Header().Set("Access-Control-Allow-Origin", "*")
-}
-
 func toJSON(w http.ResponseWriter, o interface{}) {
 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(o); err != nil {
@ -45,6 +37,14 @@ func toJSON(w http.ResponseWriter, o interface{}) {
 	}
 }

+func (api *RestAPI) setSecurityHeaders(w http.ResponseWriter) {
+	w.Header().Add("X-Frame-Options", "DENY")
+	w.Header().Add("X-Content-Type-Options", "nosniff")
+	w.Header().Add("X-XSS-Protection", "1; mode=block")
+	w.Header().Add("Referrer-Policy", "same-origin")
+	w.Header().Set("Access-Control-Allow-Origin", api.allowOrigin)
+}
+
 func (api *RestAPI) checkAuth(r *http.Request) bool {
 	if api.username != "" && api.password != "" {
 		user, pass, _ := r.BasicAuth()
@ -175,7 +175,7 @@ func (api *RestAPI) clearEvents(w http.ResponseWriter, r *http.Request) {
 }

 func (api *RestAPI) sessionRoute(w http.ResponseWriter, r *http.Request) {
-	setSecurityHeaders(w)
+	api.setSecurityHeaders(w)

 	if !api.checkAuth(r) {
 		setAuthFailed(w, r)
@ -229,7 +229,7 @@ func (api *RestAPI) sessionRoute(w http.ResponseWriter, r *http.Request) {
 }

 func (api *RestAPI) eventsRoute(w http.ResponseWriter, r *http.Request) {
-	setSecurityHeaders(w)
+	api.setSecurityHeaders(w)

 	if !api.checkAuth(r) {
 		setAuthFailed(w, r)