From: Zach Copley <zach@status.net>
Date: Fri, 8 Jul 2011 00:19:59 +0000 (-0700)
Subject: Change a few things around for CORS header output
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=969a558339d63c67b18f1d28893992299af38a62;p=quix0rs-gnu-social.git
Change a few things around for CORS header output
---
diff --git a/actions/hostmeta.php b/actions/hostmeta.php
index 4c9e9b8ae5..fdebcf13af 100644
--- a/actions/hostmeta.php
+++ b/actions/hostmeta.php
@@ -44,6 +44,7 @@ class HostMetaAction extends Action
function handle()
{
parent::handle();
+ common_debug("GARGARGAR");
$domain = common_config('site', 'server');
@@ -59,11 +60,13 @@ class HostMetaAction extends Action
Event::handle('EndHostMetaLinks', array(&$xrd->links));
}
- global $config;
- if($config['site']['cors'] === true){
+ // Output Cross-Origin Resource Sharing (CORS) header
+ if (common_config('discovery', 'cors')) {
header('Access-Control-Allow-Origin: *');
}
+
header('Content-type: application/xrd+xml');
+
print $xrd->toXML();
}
}
diff --git a/actions/userxrd.php b/actions/userxrd.php
index 4ba7f91c7e..6fa738a5c9 100644
--- a/actions/userxrd.php
+++ b/actions/userxrd.php
@@ -31,9 +31,6 @@ class UserxrdAction extends XrdAction
{
parent::prepare($args);
global $config;
- if($config['site']['cors'] === true){
- header('Access-Control-Allow-Origin: *');
- }
$this->uri = $this->trimmed('uri');
$this->uri = self::normalize($this->uri);
diff --git a/config.php.sample b/config.php.sample
index 8ddac67417..87a1977b5f 100644
--- a/config.php.sample
+++ b/config.php.sample
@@ -40,8 +40,12 @@ $config['site']['path'] = 'statusnet';
// $config['site']['inviteonly'] = true;
// Make the site invisible to non-logged-in users
// $config['site']['private'] = true;
-// Allow Cross-Origin Resource Sharing
-// $config['site']['cors'] = true;
+
+// Allow Cross-Origin Resource Sharing (CORS) for service discovery
+// (host-meta, XRD, etc.) Useful for AJAXy client applications. Should
+// probably NOT be on for private / intranet sites but OK for public sites.
+// Default is off.
+// $config['discovery']['cors'] = true;
// If your web server supports X-Sendfile (Apache with mod_xsendfile,
// lighttpd, nginx), you can enable X-Sendfile support for better
diff --git a/lib/default.php b/lib/default.php
index 51d62ed767..a1f1ed6d8f 100644
--- a/lib/default.php
+++ b/lib/default.php
@@ -61,7 +61,6 @@ $default =
'textlimit' => 140,
'indent' => true,
'use_x_sendfile' => false,
- 'cors' => true,
'notice' => null, // site wide notice text
'build' => 1, // build number, for code-dependent cache
'minify' => true, // true to use the minified versions of JS files; false to use orig files. Can aid during development
@@ -350,4 +349,6 @@ $default =
),
'router' =>
array('cache' => true), // whether to cache the router object. Defaults to true, turn off for devel
+ 'discovery' =>
+ array('cors' => false) // Allow Cross-Origin Resource Sharing for service discovery (host-meta, XRD, etc.)
);
diff --git a/lib/xrdaction.php b/lib/xrdaction.php
index a0e7a1c415..3d55204f41 100644
--- a/lib/xrdaction.php
+++ b/lib/xrdaction.php
@@ -117,7 +117,12 @@ class XrdAction extends Action
Event::handle('EndXrdActionLinks', array(&$xrd, $this->user));
}
+ if (common_config('discovery', 'cors')) {
+ header('Access-Control-Allow-Origin: *');
+ }
+
header('Content-type: application/xrd+xml');
+
print $xrd->toXML();
}