mirrors/zotero
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Allow setting CORS allowed origins for translation-server

Browse source
This commit is contained in:
Dan Stillman 2018-04-18 16:15:26 -04:00
parent 16c2f6602a
commit b22e496b05
1 changed files with 32 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
chrome/content/zotero/xpcom/server.js
View file

@ -242,17 +242,18 @@ Zotero.Server.DataListener.prototype._headerFinished = function() {
const hostRe = /[\r\n]Host: *(localhost|127\.0\.0\.1)(:[0-9]+)?[\r\n]/i; const hostRe = /[\r\n]Host: *(localhost|127\.0\.0\.1)(:[0-9]+)?[\r\n]/i;
const contentTypeRe = /[\r\n]Content-Type: *([^ \r\n]+)/i; const contentTypeRe = /[\r\n]Content-Type: *([^ \r\n]+)/i;
if(!Zotero.isServer) { const originRe = /[\r\n]Origin: *([^ \r\n]+)/i;
const originRe = /[\r\n]Origin: *([^ \r\n]+)/i; var m = originRe.exec(this.header);
var m = originRe.exec(this.header); if (m) {
if(m) { this.origin = m[1];
this.origin = m[1]; }
} else { else {
const bookmarkletRe = /[\r\n]Zotero-Bookmarklet: *([^ \r\n]+)/i; const bookmarkletRe = /[\r\n]Zotero-Bookmarklet: *([^ \r\n]+)/i;
var m = bookmarkletRe.exec(this.header); var m = bookmarkletRe.exec(this.header);
if(m) this.origin = "https://www.zotero.org"; if (m) this.origin = "https://www.zotero.org";
} }
if (!Zotero.isServer) {
// Make sure the Host header is set to localhost/127.0.0.1 to prevent DNS rebinding attacks // Make sure the Host header is set to localhost/127.0.0.1 to prevent DNS rebinding attacks
if (!hostRe.exec(this.header)) { if (!hostRe.exec(this.header)) {
this._requestFinished(this._generateResponse(400, "text/plain", "Invalid Host header\n")); this._requestFinished(this._generateResponse(400, "text/plain", "Invalid Host header\n"));
@ -333,12 +334,29 @@ Zotero.Server.DataListener.prototype._bodyData = function() {
*/ */
Zotero.Server.DataListener.prototype._generateResponse = function(status, contentType, body) { Zotero.Server.DataListener.prototype._generateResponse = function(status, contentType, body) {
var response = "HTTP/1.0 "+status+" "+Zotero.Server.responseCodes[status]+"\r\n"; var response = "HTTP/1.0 "+status+" "+Zotero.Server.responseCodes[status]+"\r\n";
if(!Zotero.isServer) {
// Translation server
if (Zotero.isServer) {
// Add CORS headers if Origin header matches the allowed origins
if (this.origin) {
let allowedOrigins = Zotero.Prefs.get('httpServer.allowedOrigins')
.split(/, */).filter(x => x);
let allAllowed = allowedOrigins.includes('*');
if (allAllowed || allowedOrigins.includes(this.origin)) {
response += "Access-Control-Allow-Origin: " + (allAllowed ? '*' : this.origin) + "\r\n";
response += "Access-Control-Allow-Methods: POST, GET, OPTIONS\r\n";
response += "Access-Control-Allow-Headers: Content-Type\r\n";
}
}
}
// Client
else {
response += "X-Zotero-Version: "+Zotero.version+"\r\n"; response += "X-Zotero-Version: "+Zotero.version+"\r\n";
response += "X-Zotero-Connector-API-Version: "+CONNECTOR_API_VERSION+"\r\n"; response += "X-Zotero-Connector-API-Version: "+CONNECTOR_API_VERSION+"\r\n";
if(this.origin === ZOTERO_CONFIG.BOOKMARKLET_ORIGIN ||
if (this.origin === ZOTERO_CONFIG.BOOKMARKLET_ORIGIN ||
this.origin === ZOTERO_CONFIG.HTTP_BOOKMARKLET_ORIGIN) { this.origin === ZOTERO_CONFIG.HTTP_BOOKMARKLET_ORIGIN) {
response += "Access-Control-Allow-Origin: "+this.origin+"\r\n"; response += "Access-Control-Allow-Origin: " + this.origin + "\r\n";
response += "Access-Control-Allow-Methods: POST, GET, OPTIONS\r\n"; response += "Access-Control-Allow-Methods: POST, GET, OPTIONS\r\n";
response += "Access-Control-Allow-Headers: Content-Type,X-Zotero-Connector-API-Version,X-Zotero-Version\r\n"; response += "Access-Control-Allow-Headers: Content-Type,X-Zotero-Connector-API-Version,X-Zotero-Version\r\n";
} }