Congegni
/
sintonia
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'whmcs-login' into whmcs-login-saas

This commit is contained in:
Albert Santoni 2014-06-23 13:24:47 -04:00
parent 1da3424fa9 6302e3b335
commit 55ff95a34f
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
airtime_mvc/application/controllers/LoginController.php
View File

@ -17,9 +17,17 @@ class LoginController extends Zend_Controller_Action
//Allow AJAX requests from www.airtime.pro. We use this to automatically login users //Allow AJAX requests from www.airtime.pro. We use this to automatically login users
//after they sign up from the microsite. //after they sign up from the microsite.
//Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well.
$response = $this->getResponse()->setHeader('Access-Control-Allow-Origin', '*'); $response = $this->getResponse()->setHeader('Access-Control-Allow-Origin', '*');
$origin = $request->getHeader('Origin'); $origin = $request->getHeader('Origin');
if (($origin != "") && (!in_array($origin, array("http://www.airtime.pro", "https://www.airtime.pro")))) if (($origin != "") &&
(!in_array($origin,
array("http://www.airtime.pro",
"https://www.airtime.pro",
"http://" . $_SERVER['SERVER_NAME'],
"https://" . $_SERVER['SERVER_NAME']
))
))
{ {
//Don't allow CORS from other domains to prevent XSS. //Don't allow CORS from other domains to prevent XSS.
throw new Zend_Controller_Action_Exception('Forbidden', 403); throw new Zend_Controller_Action_Exception('Forbidden', 403);