From 413b27a21e87db8b7e99a84bb679455b3b216658 Mon Sep 17 00:00:00 2001 From: Yannick Mau Date: Mon, 17 Feb 2020 17:44:58 +0100 Subject: [PATCH 1/2] Add support for multiple cors origins --- plugin/config.json | 2 +- plugin/web.py | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/plugin/config.json b/plugin/config.json index e995d16..9fd31b6 100644 --- a/plugin/config.json +++ b/plugin/config.json @@ -3,5 +3,5 @@ "apiLogPath": null, "webBindAddress": "127.0.0.1", "webBindPort": 8765, - "webCorsOrigin": "http://localhost" + "webCorsOrigin": ["http://localhost"] } diff --git a/plugin/web.py b/plugin/web.py index 68e2e2b..adfb71f 100644 --- a/plugin/web.py +++ b/plugin/web.py @@ -153,10 +153,20 @@ class WebServer: except ValueError: body = json.dumps(None).encode('utf-8') + # handle multiple cors origins by checking the 'origin'-header against the allowed origin list from the config + webCorsOriginsSetting = util.setting('webCorsOrigin') + corsOrigin = "http://localhost" + if len(webCorsOriginsSetting) == 1: + corsOrigin = webCorsOriginsSetting[0] + elif b"origin" in req.headers: + originStr = req.headers[b"origin"].decode() + if originStr in webCorsOriginsSetting: + corsOrigin = originStr + headers = [ ['HTTP/1.1 200 OK', None], ['Content-Type', 'text/json'], - ['Access-Control-Allow-Origin', util.setting('webCorsOrigin')], + ['Access-Control-Allow-Origin', corsOrigin], ['Content-Length', str(len(body))] ] From 002b7cbf97e0494caada96dfc0b6043de33f683b Mon Sep 17 00:00:00 2001 From: Yannick Mau Date: Fri, 28 Feb 2020 01:17:53 +0100 Subject: [PATCH 2/2] Deprecate field 'webCorsOrigin' but keep temporary support for it. --- plugin/config.json | 3 ++- plugin/util.py | 1 + plugin/web.py | 20 +++++++++++++------- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/plugin/config.json b/plugin/config.json index 9fd31b6..00f2f30 100644 --- a/plugin/config.json +++ b/plugin/config.json @@ -3,5 +3,6 @@ "apiLogPath": null, "webBindAddress": "127.0.0.1", "webBindPort": 8765, - "webCorsOrigin": ["http://localhost"] + "webCorsOrigin": "http://localhost", + "webCorsOriginList": ["http://localhost"] } diff --git a/plugin/util.py b/plugin/util.py index 740840e..c64567a 100644 --- a/plugin/util.py +++ b/plugin/util.py @@ -54,6 +54,7 @@ def setting(key): 'webBindAddress': os.getenv('ANKICONNECT_BIND_ADDRESS', '127.0.0.1'), 'webBindPort': 8765, 'webCorsOrigin': os.getenv('ANKICONNECT_CORS_ORIGIN', 'http://localhost'), + 'webCorsOriginList': ['http://localhost'], 'webTimeout': 10000, } diff --git a/plugin/web.py b/plugin/web.py index adfb71f..5431742 100644 --- a/plugin/web.py +++ b/plugin/web.py @@ -154,13 +154,19 @@ class WebServer: body = json.dumps(None).encode('utf-8') # handle multiple cors origins by checking the 'origin'-header against the allowed origin list from the config - webCorsOriginsSetting = util.setting('webCorsOrigin') - corsOrigin = "http://localhost" - if len(webCorsOriginsSetting) == 1: - corsOrigin = webCorsOriginsSetting[0] - elif b"origin" in req.headers: - originStr = req.headers[b"origin"].decode() - if originStr in webCorsOriginsSetting: + webCorsOriginList = util.setting('webCorsOriginList') + + # keep support for deprecated 'webCorsOrigin' field, as long it is not removed + webCorsOrigin = util.setting('webCorsOrigin') + if webCorsOrigin: + webCorsOriginList.append(webCorsOrigin) + + corsOrigin = 'http://localhost' + if len(webCorsOriginList) == 1: + corsOrigin = webCorsOriginList[0] + elif b'origin' in req.headers: + originStr = req.headers[b'origin'].decode() + if originStr in webCorsOriginList: corsOrigin = originStr headers = [