Make CORS great again

This fixes CORS to work properly with most 2.5 api endpoints while keeping the JSONP format available. * [x] return JSONP or JSON with proper CORS headers from API * [x] Field in Genereal Preferences Form to configure CORS enabled URLs See #17 for what triggered this refactor. I beleive this should make integrating the APIs on the client side trivial without mandating the use of JSONP.
2017-03-10 15:10:56 +01:00 · 2017-03-10 15:10:56 +01:00 · baa0f9ba77
commit baa0f9ba77
parent e3785e25f9
7 changed files with 66 additions and 48 deletions
--- a/airtime_mvc/application/common/CORSHelper.php
+++ b/airtime_mvc/application/common/CORSHelper.php
@ -3,12 +3,9 @@

 class CORSHelper
 {
-    public static function enableATProCrossOriginRequests(&$request, &$response)
+    public static function enableCrossOriginRequests(&$request, &$response)
    {
-        //Allow AJAX requests from www.airtime.pro. We use this to automatically login users
-        //after they sign up from the microsite.
        //Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well.
-        $response = $response->setHeader('Access-Control-Allow-Origin', '*');
        $origin = $request->getHeader('Origin');
        if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") &&
            (!in_array($origin, self::getAllowedOrigins())))
@ -16,15 +13,20 @@ class CORSHelper
            //Don't allow CORS from other domains to prevent XSS.
            throw new Zend_Controller_Action_Exception('Forbidden', 403);
        }
+        //Allow AJAX requests from configured websites. We use this to allow other pages to use LibreTimes API.
+        if ($origin) {
+            $response = $response->setHeader('Access-Control-Allow-Origin', $origin);
+        }
    }

    public static function getAllowedOrigins()
    {
-        return array("http://www.airtime.pro",
-                        "https://www.airtime.pro",
-                        "https://account.sourcefabric.com",
-                        "https://account.sourcefabric.com:5001",
+        $allowedCorsUrls = array_map(
+            function($v) { return trim($v); },
+            explode(PHP_EOL, Application_Model_Preference::GetAllowedCorsUrls())
+        );
+        return array_merge($allowedCorsUrls, array(
                        "http://" . $_SERVER['SERVER_NAME'],
-                        "https://" . $_SERVER['SERVER_NAME']);
+                        "https://" . $_SERVER['SERVER_NAME']));
    }
 }