Better cors error logging
This commit is contained in:
parent
46685f45aa
commit
e4551bb321
|
@ -7,11 +7,13 @@ class CORSHelper
|
|||
{
|
||||
//Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well.
|
||||
$origin = $request->getHeader('Origin');
|
||||
$allowedOrigins = self::getAllowedOrigins($request);
|
||||
|
||||
if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") &&
|
||||
(!in_array($origin, self::getAllowedOrigins($request))))
|
||||
{
|
||||
(!in_array($origin, $allowedOrigins))
|
||||
) {
|
||||
//Don't allow CORS from other domains to prevent XSS.
|
||||
Logging::error("request origin '{$origin}' is not in allowed '" . implode(', ', $allowedOrigins) . "'!");
|
||||
throw new Zend_Controller_Action_Exception('Forbidden', 403);
|
||||
}
|
||||
//Allow AJAX requests from configured websites. We use this to allow other pages to use LibreTimes API.
|
||||
|
|
Loading…
Reference in New Issue