From 448ab18a201c902b4e7a1aa468c352c20d034989 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Wed, 9 Nov 2016 18:06:01 +0100 Subject: [PATCH] Replace setting custom CORS headers with rack-cors, set it on /oauth/token endpoint --- Gemfile | 2 +- Gemfile.lock | 8 ++------ app/controllers/api_controller.rb | 8 -------- config/application.rb | 13 +++++++++++-- 4 files changed, 14 insertions(+), 17 deletions(-) diff --git a/Gemfile b/Gemfile index 7eab0a5bb6..a3d5cdd455 100644 --- a/Gemfile +++ b/Gemfile @@ -4,7 +4,6 @@ gem 'rails', '5.0.0.1' gem 'sass-rails', '~> 5.0' gem 'uglifier', '>= 1.3.0' gem 'coffee-rails', '~> 4.1.0' -gem 'therubyracer', platforms: :ruby gem 'jquery-rails' gem 'jbuilder', '~> 2.0' gem 'sdoc', '~> 0.4.0', group: :doc @@ -39,6 +38,7 @@ gem 'htmlentities' gem 'simple_form' gem 'will_paginate' gem 'rack-attack' +gem 'rack-cors', require: 'rack/cors' gem 'sidekiq' gem 'ledermann-rails-settings' gem 'neography' diff --git a/Gemfile.lock b/Gemfile.lock index 38b3101df3..56f9d34bcb 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -157,7 +157,6 @@ GEM activerecord (>= 3.1) letter_opener (1.4.1) launchy (~> 2.2) - libv8 (3.16.14.15) link_header (0.0.8) lograge (0.4.1) actionpack (>= 4, < 5.1) @@ -219,6 +218,7 @@ GEM rack (2.0.1) rack-attack (5.0.1) rack + rack-cors (0.4.0) rack-protection (1.5.3) rack rack-test (0.6.3) @@ -281,7 +281,6 @@ GEM redis-store (~> 1.2.0) redis-store (1.2.0) redis (>= 2.2) - ref (2.0.0) responders (2.3.0) railties (>= 4.2.0, < 5.1) rspec (3.5.0) @@ -349,9 +348,6 @@ GEM activesupport (>= 4.0) sprockets (>= 3.0.0) temple (0.7.7) - therubyracer (0.12.2) - libv8 (~> 3.16.14.0) - ref thor (0.19.1) thread_safe (0.3.5) tilt (2.0.5) @@ -419,6 +415,7 @@ DEPENDENCIES puma rabl rack-attack + rack-cors rails (= 5.0.0.1) rails_12factor rails_autolink @@ -433,7 +430,6 @@ DEPENDENCIES sidekiq simple_form simplecov - therubyracer uglifier (>= 1.3.0) webmock will_paginate diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb index 5243f7d7b9..ef453799b3 100644 --- a/app/controllers/api_controller.rb +++ b/app/controllers/api_controller.rb @@ -7,7 +7,6 @@ class ApiController < ApplicationController skip_before_action :verify_authenticity_token before_action :set_rate_limit_headers - before_action :set_cors_headers rescue_from ActiveRecord::RecordInvalid do |e| render json: { error: e.to_s }, status: 422 @@ -50,13 +49,6 @@ class ApiController < ApplicationController response.headers['X-RateLimit-Reset'] = (now + (match_data[:period] - now.to_i % match_data[:period])).to_s end - def set_cors_headers - response.headers['Access-Control-Allow-Origin'] = '*' - response.headers['Access-Control-Allow-Methods'] = 'POST, PUT, DELETE, GET, OPTIONS' - response.headers['Access-Control-Request-Method'] = '*' - response.headers['Access-Control-Allow-Headers'] = 'Origin, X-Requested-With, Content-Type, Accept, Authorization' - end - def set_pagination_headers(next_path = nil, prev_path = nil) links = [] links << [next_path, [['rel', 'next']]] if next_path diff --git a/config/application.rb b/config/application.rb index 552f4ec117..dfe49b8ec5 100644 --- a/config/application.rb +++ b/config/application.rb @@ -27,6 +27,15 @@ module Mastodon config.active_job.queue_adapter = :sidekiq + config.middleware.insert_before 0, Rack::Cors do + allow do + origins '*' + + resource '/api/*', :headers => :any, :methods => [:post, :put, :delete, :get, :options], credentials: false + resource '/oauth/token', :headers => :any, :methods => [:post], credentials: false + end + end + config.middleware.use Rack::Attack config.middleware.use Rack::Deflater @@ -38,9 +47,9 @@ module Mastodon end config.action_dispatch.default_headers = { - 'X-Frame-Options' => 'DENY', + 'X-Frame-Options' => 'DENY', 'X-Content-Type-Options' => 'nosniff', - 'X-XSS-Protection' => '1; mode=block' + 'X-XSS-Protection' => '1; mode=block' } end end