Better cors error logging

This commit is contained in:
jo 2021-10-07 19:05:56 +02:00
parent 46685f45aa
commit e4551bb321
1 changed files with 4 additions and 2 deletions

View File

@ -7,11 +7,13 @@ class CORSHelper
{
//Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well.
$origin = $request->getHeader('Origin');
$allowedOrigins = self::getAllowedOrigins($request);
if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") &&
(!in_array($origin, self::getAllowedOrigins($request))))
{
(!in_array($origin, $allowedOrigins))
) {
//Don't allow CORS from other domains to prevent XSS.
Logging::error("request origin '{$origin}' is not in allowed '" . implode(', ', $allowedOrigins) . "'!");
throw new Zend_Controller_Action_Exception('Forbidden', 403);
}
//Allow AJAX requests from configured websites. We use this to allow other pages to use LibreTimes API.