app/controllers/openstax/api/v1/api_controller.rb in openstax_api-5.5.5 vs app/controllers/openstax/api/v1/api_controller.rb in openstax_api-6.0.0
- old
+ new
@@ -1,11 +1,11 @@
module OpenStax
module Api
module V1
class ApiController < ActionController::Base
-
+
include ::Roar::Rails::ControllerAdditions
include OpenStax::Api::Roar
include OpenStax::Api::Apipie
protect_from_forgery with: :exception
@@ -71,17 +71,26 @@
def set_date_header
response.date = Time.now unless response.date?
end
def set_cors_preflight_headers
- headers['Access-Control-Allow-Origin'] = '*'
+ headers['Access-Control-Allow-Origin'] = validated_cors_origin
headers['Access-Control-Allow-Methods'] = 'GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS'
- headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-Prototype-Version, X-CSRF-Token, Token'
+ headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-Prototype-Version, X-CSRF-Token, Token, Authorization'
headers['Access-Control-Max-Age'] = '86400'
end
def set_cors_headers
- headers['Access-Control-Allow-Origin'] = '*'
+ headers['Access-Control-Allow-Origin'] = validated_cors_origin
+ end
+
+ def validated_cors_origin
+ if OpenStax::Api.configuration.validate_cors_origin &&
+ OpenStax::Api.configuration.validate_cors_origin[ request ]
+ request.headers["HTTP_ORIGIN"]
+ else
+ '' # an empty string will disallow any access
+ end
end
end
end