fix: [breaking] send configured config URL as origin if not custom

This is a breaking change if your install uses multiple URLs to access. You will need to update the Access-Control-Allow-Origin header in ACP > Advanced > Headers to supply all URLs you use to access your site
4 years ago · 205a10308e
parent 7a019494e8
commit 205a10308e
1 changed files with 7 additions and 0 deletions
--- a/src/middleware/headers.js
+++ b/src/middleware/headers.js
@ -2,6 +2,7 @@

 const os = require('os');
 const winston = require('winston');
+const nconf = require('nconf');
 const _ = require('lodash');

 const meta = require('../meta');
@ -34,6 +35,7 @@ module.exports = function (middleware) {

 			if (origins.includes(req.get('origin'))) {
 				headers['Access-Control-Allow-Origin'] = encodeURI(req.get('origin'));
+				headers.Vary = headers.Vary ? `${headers.Vary}, Origin` : 'Origin';
 			}
 		}

@ -52,10 +54,15 @@ module.exports = function (middleware) {
 			originsRegex.forEach(function (regex) {
 				if (regex && regex.test(req.get('origin'))) {
 					headers['Access-Control-Allow-Origin'] = encodeURI(req.get('origin'));
+					headers.Vary = headers.Vary ? `${headers.Vary}, Origin` : 'Origin';
 				}
 			});
 		}

+		if (!headers.hasOwnProperty('Access-Control-Allow-Origin')) {
+			headers['Access-Control-Allow-Origin'] = nconf.get('url');
+		}
+
 		if (meta.config['access-control-allow-credentials']) {
 			headers['Access-Control-Allow-Credentials'] = meta.config['access-control-allow-credentials'];
 		}