Skip to content

Commit

Permalink
Allow setting multiple values for cors_origin (fixes #5198) (#5353)
Browse files Browse the repository at this point in the history 
* Allow setting multiple values for cors_origin (fixes #5198)

* fmt

* mention env var
  • Loading branch information
@Nutomic
Nutomic committed Jan 29, 2025
1 parent c583330 commit 5bda04f
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 25 deletions.
8 changes: 6 additions & 2 deletions config/defaults.hjson
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,11 @@
bind: "127.0.0.1"
port: 10002
}
# Sets a response Access-Control-Allow-Origin CORS header
# Sets a response Access-Control-Allow-Origin CORS header. Can also be set via environment:
# `LEMMY_CORS_ORIGIN=example.org,site.com`
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
cors_origin: "lemmy.tld"
cors_origin: [
"lemmy.tld"
/* ... */
]
}
27 changes: 8 additions & 19 deletions crates/routes/src/utils/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,30 +9,19 @@ pub fn cors_config(settings: &Settings) -> Cors {
let self_origin = settings.get_protocol_and_hostname();
let cors_origin_setting = settings.cors_origin();

// A default setting for either wildcard, or None
let cors_default = Cors::default()
.allow_any_origin()
let mut cors = Cors::default()
.allow_any_method()
.allow_any_header()
.expose_any_header()
.max_age(3600);

match (cors_origin_setting.clone(), cfg!(debug_assertions)) {
(Some(origin), false) => {
// Need to call send_wildcard() explicitly, passing this into allowed_origin() results in
// error
if origin == "*" {
cors_default
} else {
Cors::default()
.allowed_origin(&origin)
.allowed_origin(&self_origin)
.allow_any_method()
.allow_any_header()
.expose_any_header()
.max_age(3600)
}
if cfg!(debug_assertions) || cors_origin_setting.contains(&"*".to_string()) {
cors = cors.allow_any_origin();
} else {
cors = cors.allowed_origin(&self_origin);
for c in cors_origin_setting {
cors = cors.allowed_origin(&c);
}
_ => cors_default,
}
cors
}
10 changes: 6 additions & 4 deletions crates/utils/src/settings/structs.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,17 +44,19 @@ pub struct Settings {
// Prometheus configuration.
#[doku(example = "Some(Default::default())")]
pub prometheus: Option<PrometheusConfig>,
/// Sets a response Access-Control-Allow-Origin CORS header
/// Sets a response Access-Control-Allow-Origin CORS header. Can also be set via environment:
/// `LEMMY_CORS_ORIGIN=example.org,site.com`
/// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
#[doku(example = "lemmy.tld")]
cors_origin: Option<String>,
cors_origin: Vec<String>,
}

impl Settings {
pub fn cors_origin(&self) -> Option<String> {
pub fn cors_origin(&self) -> Vec<String> {
env::var("LEMMY_CORS_ORIGIN")
.ok()
.or(self.cors_origin.clone())
.map(|e| e.split(',').map(ToString::to_string).collect())
.unwrap_or(self.cors_origin.clone())
}
}

Expand Down

0 comments on commit 5bda04f

Please sign in to comment.