Merge branch 'cc-5709-airtime-analyzer-buy-now' of github.com:sourcefabric/Airtime into cc-5709-airtime-analyzer-buy-now

2014-06-23 17:04:50 -04:00 · 2014-06-23 17:04:50 -04:00 · 3307cc8645
parent 806525e28c 3919fbd839
commit 3307cc8645
1 changed files with 9 additions and 1 deletions
--- a/airtime_mvc/application/controllers/LoginController.php
+++ b/airtime_mvc/application/controllers/LoginController.php
@ -17,9 +17,17 @@ class LoginController extends Zend_Controller_Action
        
        //Allow AJAX requests from www.airtime.pro. We use this to automatically login users
        //after they sign up from the microsite.
+        //Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well.
        $response = $this->getResponse()->setHeader('Access-Control-Allow-Origin', '*');
        $origin = $request->getHeader('Origin');
-        if (($origin != "") && (!in_array($origin, array("http://www.airtime.pro", "https://www.airtime.pro"))))
+        if (($origin != "") && 
+            (!in_array($origin, 
+                    array("http://www.airtime.pro", 
+                          "https://www.airtime.pro",
+                          "http://" . $_SERVER['SERVER_NAME'],
+                          "https://" . $_SERVER['SERVER_NAME']
+                ))
+            ))
        {
            //Don't allow CORS from other domains to prevent XSS.
            throw new Zend_Controller_Action_Exception('Forbidden', 403);