summaryrefslogtreecommitdiff
path: root/res/res_stasis_http.c
diff options
context:
space:
mode:
Diffstat (limited to 'res/res_stasis_http.c')
-rw-r--r--res/res_stasis_http.c53
1 files changed, 38 insertions, 15 deletions
diff --git a/res/res_stasis_http.c b/res/res_stasis_http.c
index 7cd92f48f..e9dab79f5 100644
--- a/res/res_stasis_http.c
+++ b/res/res_stasis_http.c
@@ -293,6 +293,26 @@ static void add_allow_header(struct stasis_rest_handlers *handler,
ast_str_append(&response->headers, 0, "\r\n");
}
+static int origin_allowed(const char *origin)
+{
+ RAII_VAR(struct ari_conf *, cfg, ari_config_get(), ao2_cleanup);
+
+ char *allowed = ast_strdupa(cfg->general->allowed_origins);
+ char *current;
+
+ while ((current = strsep(&allowed, ","))) {
+ if (!strcmp(current, "*")) {
+ return 1;
+ }
+
+ if (!strcmp(current, origin)) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
#define ACR_METHOD "Access-Control-Request-Method"
#define ACR_HEADERS "Access-Control-Request-Headers"
#define ACA_METHODS "Access-Control-Allow-Methods"
@@ -333,7 +353,7 @@ static void handle_options(struct stasis_rest_handlers *handler,
}
/* CORS 6.2, #1 - "If the Origin header is not present terminate this
- * set of steps.
+ * set of steps."
*/
if (origin == NULL) {
return;
@@ -343,14 +363,16 @@ static void handle_options(struct stasis_rest_handlers *handler,
* case-sensitive match for any of the values in list of origins do not
* set any additional headers and terminate this set of steps.
*
- * "Always matching is acceptable since the list of origins can be
+ * Always matching is acceptable since the list of origins can be
* unbounded.
*
- * "The Origin header can only contain a single origin as the user agent
- * will not follow redirects.
- *
- * TODO - pull list of allowed origins from config
+ * The Origin header can only contain a single origin as the user agent
+ * will not follow redirects."
*/
+ if (!origin_allowed(origin)) {
+ ast_log(LOG_NOTICE, "Origin header '%s' does not match an allowed origin.\n", origin);
+ return;
+ }
/* CORS 6.2, #3 - "If there is no Access-Control-Request-Method header
* or if parsing failed, do not set any additional headers and terminate
@@ -397,7 +419,7 @@ static void handle_options(struct stasis_rest_handlers *handler,
* case-insensitive match for any of the values in list of headers do
* not set any additional headers and terminate this set of steps.
*
- * "Note: Always matching is acceptable since the list of headers can be
+ * Note: Always matching is acceptable since the list of headers can be
* unbounded."
*/
@@ -423,7 +445,7 @@ static void handle_options(struct stasis_rest_handlers *handler,
/* CORS 6.2, #10 - "Add one or more Access-Control-Allow-Headers headers
* consisting of (a subset of) the list of headers.
*
- * "Since the list of headers can be unbounded simply returning headers
+ * Since the list of headers can be unbounded simply returning headers
* can be enough."
*/
if (!ast_strlen_zero(acr_headers)) {
@@ -700,25 +722,26 @@ static void process_cors_request(struct ast_variable *headers,
* case-sensitive match for any of the values in list of origins, do not
* set any additional headers and terminate this set of steps.
*
- * "Note: Always matching is acceptable since the list of origins can be
+ * Note: Always matching is acceptable since the list of origins can be
* unbounded."
- *
- * TODO - pull list of allowed origins from config
*/
+ if (!origin_allowed(origin)) {
+ ast_log(LOG_NOTICE, "Origin header '%s' does not match an allowed origin.\n", origin);
+ return;
+ }
/* CORS 6.1, #3 - "If the resource supports credentials add a single
* Access-Control-Allow-Origin header, with the value of the Origin
* header as value, and add a single Access-Control-Allow-Credentials
* header with the case-sensitive string "true" as value.
*
- * "Otherwise, add a single Access-Control-Allow-Origin header, with
+ * Otherwise, add a single Access-Control-Allow-Origin header, with
* either the value of the Origin header or the string "*" as value."
- *
- * TODO - when we add authentication, this will change to
- * Access-Control-Allow-Credentials.
*/
ast_str_append(&response->headers, 0,
"Access-Control-Allow-Origin: %s\r\n", origin);
+ ast_str_append(&response->headers, 0,
+ "Access-Control-Allow-Credentials: true\r\n");
/* CORS 6.1, #4 - "If the list of exposed headers is not empty add one
* or more Access-Control-Expose-Headers headers, with as values the
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-09 02:43:47 +0000