Merge pull request #10813 from tobiasd/20211003-lengthcounter

[friendica.git] / src / App / Module.php

diff --git a/src/App/Module.php b/src/App/Module.php
index 8cc4dd7109cafb5aa3e37ba6372f3a8305479a05..f15b1236e81042708e97a56e0834026da05e1656 100644 (file)
--- a/src/App/Module.php
+++ b/src/App/Module.php
@@ -63,7 +63,6 @@ class Module
                'outbox',
                'poco',
                'post',
-               'proxy',
                'pubsub',
                'pubsubhubbub',
                'receive',
@@ -265,13 +264,35 @@ class Module
                        $logger->debug('index.php: page not found.', ['request_uri' => $server['REQUEST_URI'], 'address' => $server['REMOTE_ADDR'], 'query' => $server['QUERY_STRING']]);
                }
 
+               // @see https://github.com/tootsuite/mastodon/blob/c3aef491d66aec743a3a53e934a494f653745b61/config/initializers/cors.rb
+               if (substr($_REQUEST['pagename'] ?? '', 0, 12) == '.well-known/') {
+                       header('Access-Control-Allow-Origin: *');
+                       header('Access-Control-Allow-Headers: *');
+                       header('Access-Control-Allow-Methods: ' . Router::GET);
+                       header('Access-Control-Allow-Credentials: false');
+               } elseif (substr($_REQUEST['pagename'] ?? '', 0, 8) == 'profile/') {
+                       header('Access-Control-Allow-Origin: *');
+                       header('Access-Control-Allow-Headers: *');
+                       header('Access-Control-Allow-Methods: ' . Router::GET);
+                       header('Access-Control-Allow-Credentials: false');
+               } elseif (substr($_REQUEST['pagename'] ?? '', 0, 4) == 'api/') {
+                       header('Access-Control-Allow-Origin: *');
+                       header('Access-Control-Allow-Headers: *');
+                       header('Access-Control-Allow-Methods: ' . implode(',', Router::ALLOWED_METHODS));
+                       header('Access-Control-Allow-Credentials: false');
+                       header('Access-Control-Expose-Headers: Link');
+               } elseif (substr($_REQUEST['pagename'] ?? '', 0, 11) == 'oauth/token') {
+                       header('Access-Control-Allow-Origin: *');
+                       header('Access-Control-Allow-Headers: *');
+                       header('Access-Control-Allow-Methods: ' . Router::POST);
+                       header('Access-Control-Allow-Credentials: false');
+               }
+
+               // @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS
+               // @todo Check allowed methods per requested path
                if ($server['REQUEST_METHOD'] === Router::OPTIONS) {
                        header('HTTP/1.1 204 No Content');
-                       header('access-control-allow-credentials: true');
-                       header('access-control-allow-headers: Authorization,Content-Type');
-                       header('access-control-allow-methods: ' . implode(',', Router::ALLOWED_METHODS));
-                       header('access-control-allow-origin: *');
-                       header('access-control-max-age: 86400');
+                       header('Allow: ' . implode(',', Router::ALLOWED_METHODS));
                        exit();
                }