Kyle Robbertze
GitHub
commit
dfd34ba700
3 changed files with 17 additions and 3 deletions
|
|
@ -7,11 +7,13 @@ class CORSHelper
|
|||
{
|
||||
//Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well.
|
||||
$origin = $request->getHeader('Origin');
|
||||
$allowedOrigins = self::getAllowedOrigins($request);
|
||||
|
||||
if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") &&
|
||||
(!in_array($origin, self::getAllowedOrigins($request))))
|
||||
{
|
||||
(!in_array($origin, $allowedOrigins))
|
||||
) {
|
||||
//Don't allow CORS from other domains to prevent XSS.
|
||||
Logging::error("request origin '{$origin}' is not in allowed '" . implode(', ', $allowedOrigins) . "'!");
|
||||
throw new Zend_Controller_Action_Exception('Forbidden', 403);
|
||||
}
|
||||
//Allow AJAX requests from configured websites. We use this to allow other pages to use LibreTimes API.
|
||||
|
|
|
|||
|
|
@ -1556,7 +1556,16 @@ class Application_Model_Preference
|
|||
* @param string $value
|
||||
* @return void
|
||||
*/
|
||||
public static function SetAllowedCorsUrls($value) {
|
||||
public static function SetAllowedCorsUrls($value)
|
||||
{
|
||||
// Trim and strip trailing slash for each entry
|
||||
$value = implode(PHP_EOL, array_map(
|
||||
function ($v) {
|
||||
return rtrim(trim($v), '/');
|
||||
},
|
||||
explode(PHP_EOL, $value)
|
||||
));
|
||||
|
||||
self::setValue('allowed_cors_urls', $value);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -42,6 +42,9 @@
|
|||
</form>
|
||||
|
||||
<script>
|
||||
$("#corsUrl").text(function() {
|
||||
return window.location.origin;
|
||||
});
|
||||
$("#corsSlideToggle").click(function() {
|
||||
$("#corsFormBody").slideToggle(500);
|
||||
$("#corsCaret").toggleClass("caret-up");
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue