From e4551bb321a79c83ebca00d1ba587506349a6d91 Mon Sep 17 00:00:00 2001
From: jo <ljonas@riseup.net>
Date: Thu, 7 Oct 2021 19:05:56 +0200
Subject: [PATCH] Better cors error logging

---
 airtime_mvc/application/common/CORSHelper.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/airtime_mvc/application/common/CORSHelper.php b/airtime_mvc/application/common/CORSHelper.php
index 04c9d8c38..af5ab1635 100644
--- a/airtime_mvc/application/common/CORSHelper.php
+++ b/airtime_mvc/application/common/CORSHelper.php
@@ -7,11 +7,13 @@ class CORSHelper
     {
         //Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well.
         $origin = $request->getHeader('Origin');
+        $allowedOrigins = self::getAllowedOrigins($request);
 
         if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") &&
-            (!in_array($origin, self::getAllowedOrigins($request))))
-        {
+            (!in_array($origin, $allowedOrigins))
+        ) {
             //Don't allow CORS from other domains to prevent XSS.
+            Logging::error("request origin '{$origin}' is not in allowed '" . implode(', ', $allowedOrigins) . "'!");
             throw new Zend_Controller_Action_Exception('Forbidden', 403);
         }
         //Allow AJAX requests from configured websites. We use this to allow other pages to use LibreTimes API.