From 6302e3b3359afcfc1108735b1645bf33ca06c33d Mon Sep 17 00:00:00 2001
From: Albert Santoni <albert.santoni@sourcefabric.org>
Date: Mon, 23 Jun 2014 13:24:28 -0400
Subject: [PATCH] Fix CORS with Chrome

---
 .../application/controllers/LoginController.php        | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/airtime_mvc/application/controllers/LoginController.php b/airtime_mvc/application/controllers/LoginController.php
index 0ddb17d2d..7c18f5dc6 100644
--- a/airtime_mvc/application/controllers/LoginController.php
+++ b/airtime_mvc/application/controllers/LoginController.php
@@ -17,9 +17,17 @@ class LoginController extends Zend_Controller_Action
         
         //Allow AJAX requests from www.airtime.pro. We use this to automatically login users
         //after they sign up from the microsite.
+        //Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well.
         $response = $this->getResponse()->setHeader('Access-Control-Allow-Origin', '*');
         $origin = $request->getHeader('Origin');
-        if (($origin != "") && (!in_array($origin, array("http://www.airtime.pro", "https://www.airtime.pro"))))
+        if (($origin != "") && 
+            (!in_array($origin, 
+                    array("http://www.airtime.pro", 
+                          "https://www.airtime.pro",
+                          "http://" . $_SERVER['SERVER_NAME'],
+                          "https://" . $_SERVER['SERVER_NAME']
+                ))
+            ))
         {
             //Don't allow CORS from other domains to prevent XSS.
             throw new Zend_Controller_Action_Exception('Forbidden', 403);