Merge pull request #269 from aleksei-burlakov/access-control-allow-or…

…igins Parametrize CORS Access-Control-Allow-Origin header
ClusterLabs · Dec 8, 2023 · 5fb7d91 · 5fb7d91
2 parents 97c130d + 1aadfc6
commit 5fb7d91
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/hawk/app/controllers/application_controller.rb b/hawk/app/controllers/application_controller.rb
@@ -113,7 +113,7 @@ def set_current_title
   def cors_set_access_control_headers
     response.headers['Content-Security-Policy'] = "frame-ancestors 'self'"
     if request.headers['Origin']
-      response.headers['Access-Control-Allow-Origin'] = request.headers["Origin"]
+      response.headers['Access-Control-Allow-Origin'] = ENV["HAWK_ACCESS_CONTROL_ALLOW_ORIGIN"] || request.headers["Origin"]
       response.headers['Access-Control-Allow-Credentials'] = 'true'
       response.headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
       response.headers['Access-Control-Allow-Headers'] = 'Origin, Content-Type, Accept, Authorization, X-CSRF-Token, Token'
@@ -123,7 +123,7 @@ def cors_set_access_control_headers
 
   def cors_preflight_check
     if request.method == 'OPTIONS' && request.headers['Origin']
-      response.headers["Access-Control-Allow-Origin"] = request.headers["Origin"]
+      response.headers['Access-Control-Allow-Origin'] = ENV["HAWK_ACCESS_CONTROL_ALLOW_ORIGIN"] || request.headers["Origin"]
       response.headers['Access-Control-Allow-Credentials'] = 'true'
       response.headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
       response.headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-Prototype-Version, X-CSRF-Token, Token'

diff --git a/scripts/sysconfig.hawk b/scripts/sysconfig.hawk
@@ -57,3 +57,13 @@ HAWK_KEY="/etc/hawk/hawk.key"
 # Configures an SSL certificate that the Hawk web server presents.
 HAWK_CERT="/etc/hawk/hawk.pem"
 
+## Path:            Cluster/Hawk
+## Description:     CORS Access-Control-Allow-Origin
+## Type:            string
+## Default:         request.headers["Origin"], i.e. the one who sends request
+## ServiceRestart:  hawk
+# This value will is used for Access-Control-Allow-Origin
+# when generation response header when loging into hawk.
+# When the value is not defined the request.headers["Origin"] is used.
+# Here we explicitely forbid origins.
+HAWK_ACCESS_CONTROL_ALLOW_ORIGIN=""