From 413b27a21e87db8b7e99a84bb679455b3b216658 Mon Sep 17 00:00:00 2001
From: Yannick Mau <yannick.mau@real-digital.de>
Date: Mon, 17 Feb 2020 17:44:58 +0100
Subject: [PATCH] Add support for multiple cors origins

---
 plugin/config.json |  2 +-
 plugin/web.py      | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/plugin/config.json b/plugin/config.json
index e995d16..9fd31b6 100644
--- a/plugin/config.json
+++ b/plugin/config.json
@@ -3,5 +3,5 @@
     "apiLogPath": null,
     "webBindAddress": "127.0.0.1",
     "webBindPort": 8765,
-    "webCorsOrigin": "http://localhost"
+    "webCorsOrigin": ["http://localhost"]
 }
diff --git a/plugin/web.py b/plugin/web.py
index 68e2e2b..adfb71f 100644
--- a/plugin/web.py
+++ b/plugin/web.py
@@ -153,10 +153,20 @@ class WebServer:
             except ValueError:
                 body = json.dumps(None).encode('utf-8')
 
+        # handle multiple cors origins by checking the 'origin'-header against the allowed origin list from the config
+        webCorsOriginsSetting = util.setting('webCorsOrigin')
+        corsOrigin = "http://localhost"
+        if len(webCorsOriginsSetting) == 1:
+            corsOrigin = webCorsOriginsSetting[0]
+        elif b"origin" in req.headers:
+            originStr = req.headers[b"origin"].decode()
+            if originStr in webCorsOriginsSetting:
+                corsOrigin = originStr
+
         headers = [
             ['HTTP/1.1 200 OK', None],
             ['Content-Type', 'text/json'],
-            ['Access-Control-Allow-Origin', util.setting('webCorsOrigin')],
+            ['Access-Control-Allow-Origin', corsOrigin],
             ['Content-Length', str(len(body))]
         ]