beenull/karadav
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Only set Access-Control-Allow-Origin to '*' when you actually want it

Browse source
This commit is contained in:
bohwaz 2022-10-28 23:57:47 +02:00
parent 932b557b89
commit 7dfa0af73b
3 changed files with 12 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
config.dist.php
View file

@ -41,6 +41,12 @@ define('KaraDAV\WWW_URL', sprintf('http%s://%s%s%s', $https, $name, $port, $root
*/
const WOPI_DISCOVERY_URL = null;
/**
* Set this to TRUE if you want 'Access-Control-Allow-Origin' header to be set to '*'
* and allow remote JS clients to make WebDAV requests.
*/
const ACCESS_CONTROL_ALL = false;
/**
* Path to a log file (eg. __DIR__ . '/debug.log')
* This will log all HTTP requests and responses received by the server

1
lib/KaraDAV/Server.php
View file

@ -19,7 +19,6 @@ class Server
public function route(?string $uri = null): bool
{
header('Access-Control-Allow-Origin: *', true);
$method = $_SERVER['REQUEST_METHOD'] ?? null;
// Always say YES to OPTIONS

10
lib/KaraDAV/WebDAV.php
View file

@ -25,10 +25,12 @@ class WebDAV extends WebDAV_Server
{
parent::http_options();
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Allow-Headers: Authorization, *');
header('Access-Control-Allow-Methods: GET,HEAD,PUT,DELETE,COPY,MOVE,PROPFIND,MKCOL,LOCK,UNLOCK');
if (ACCESS_CONTROL_ALL) {
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Allow-Headers: Authorization, *');
header('Access-Control-Allow-Methods: GET,HEAD,PUT,DELETE,COPY,MOVE,PROPFIND,MKCOL,LOCK,UNLOCK');
}
}
public function log(string $message, ...$params)