Change a few things around for CORS header output

2011-07-07 17:19:59 -07:00 · 2011-07-07 17:19:59 -07:00 · 969a558339
commit 969a558339
parent cb183359e2
5 changed files with 18 additions and 8 deletions
--- a/actions/hostmeta.php
+++ b/actions/hostmeta.php
@ -44,6 +44,7 @@ class HostMetaAction extends Action
    function handle()
    {
        parent::handle();
+        common_debug("GARGARGAR");

        $domain = common_config('site', 'server');

@ -59,11 +60,13 @@ class HostMetaAction extends Action
            Event::handle('EndHostMetaLinks', array(&$xrd->links));
        }

-        global $config;
-        if($config['site']['cors'] === true){
+        // Output Cross-Origin Resource Sharing (CORS) header
+        if (common_config('discovery', 'cors')) {
            header('Access-Control-Allow-Origin: *');
        }
+
        header('Content-type: application/xrd+xml');
+
        print $xrd->toXML();
    }
 }
--- a/actions/userxrd.php
+++ b/actions/userxrd.php
@ -31,9 +31,6 @@ class UserxrdAction extends XrdAction
    {
        parent::prepare($args);
        global $config;
-        if($config['site']['cors'] === true){
-            header('Access-Control-Allow-Origin: *');
-        }

        $this->uri = $this->trimmed('uri');
        $this->uri = self::normalize($this->uri);
--- a/config.php.sample
+++ b/config.php.sample
@ -40,8 +40,12 @@ $config['site']['path'] = 'statusnet';
 // $config['site']['inviteonly'] = true;
 // Make the site invisible to  non-logged-in users
 // $config['site']['private'] = true;
-// Allow Cross-Origin Resource Sharing
-// $config['site']['cors'] = true;
+
+// Allow Cross-Origin Resource Sharing (CORS) for service discovery
+// (host-meta, XRD, etc.) Useful for AJAXy client applications. Should
+// probably NOT be on for private / intranet sites but OK for public sites.
+// Default is off.
+// $config['discovery']['cors'] = true;

 // If your web server supports X-Sendfile (Apache with mod_xsendfile,
 // lighttpd, nginx), you can enable X-Sendfile support for better
--- a/lib/default.php
+++ b/lib/default.php
@ -61,7 +61,6 @@ $default =
              'textlimit' => 140,
              'indent' => true,
              'use_x_sendfile' => false,
-              'cors' => true,
              'notice' => null, // site wide notice text
              'build' => 1, // build number, for code-dependent cache
              'minify' => true, // true to use the minified versions of JS files; false to use orig files. Can aid during development
@ -350,4 +349,6 @@ $default =
              ),
        'router' =>
        array('cache' => true), // whether to cache the router object. Defaults to true, turn off for devel
+        'discovery' =>
+        array('cors' => false) // Allow Cross-Origin Resource Sharing for service discovery (host-meta, XRD, etc.)
    );
--- a/lib/xrdaction.php
+++ b/lib/xrdaction.php
@ -117,7 +117,12 @@ class XrdAction extends Action
            Event::handle('EndXrdActionLinks', array(&$xrd, $this->user));
        }

+        if (common_config('discovery', 'cors')) {
+            header('Access-Control-Allow-Origin: *');
+        }
+
        header('Content-type: application/xrd+xml');
+
        print $xrd->toXML();
    }