commit b22e496b057a30c7f3df7208e6d24518fe93c33d
parent 16c2f6602a0ba0c0772479e7d2d3f92607642ba5
Author: Dan Stillman <dstillman@zotero.org>
Date: Wed, 18 Apr 2018 16:15:26 -0400
Allow setting CORS allowed origins for translation-server
Diffstat:
1 file changed, 32 insertions(+), 14 deletions(-)
diff --git a/chrome/content/zotero/xpcom/server.js b/chrome/content/zotero/xpcom/server.js
@@ -242,17 +242,18 @@ Zotero.Server.DataListener.prototype._headerFinished = function() {
const hostRe = /[\r\n]Host: *(localhost|127\.0\.0\.1)(:[0-9]+)?[\r\n]/i;
const contentTypeRe = /[\r\n]Content-Type: *([^ \r\n]+)/i;
- if(!Zotero.isServer) {
- const originRe = /[\r\n]Origin: *([^ \r\n]+)/i;
- var m = originRe.exec(this.header);
- if(m) {
- this.origin = m[1];
- } else {
- const bookmarkletRe = /[\r\n]Zotero-Bookmarklet: *([^ \r\n]+)/i;
- var m = bookmarkletRe.exec(this.header);
- if(m) this.origin = "https://www.zotero.org";
- }
-
+ const originRe = /[\r\n]Origin: *([^ \r\n]+)/i;
+ var m = originRe.exec(this.header);
+ if (m) {
+ this.origin = m[1];
+ }
+ else {
+ const bookmarkletRe = /[\r\n]Zotero-Bookmarklet: *([^ \r\n]+)/i;
+ var m = bookmarkletRe.exec(this.header);
+ if (m) this.origin = "https://www.zotero.org";
+ }
+
+ if (!Zotero.isServer) {
// Make sure the Host header is set to localhost/127.0.0.1 to prevent DNS rebinding attacks
if (!hostRe.exec(this.header)) {
this._requestFinished(this._generateResponse(400, "text/plain", "Invalid Host header\n"));
@@ -333,12 +334,29 @@ Zotero.Server.DataListener.prototype._bodyData = function() {
*/
Zotero.Server.DataListener.prototype._generateResponse = function(status, contentType, body) {
var response = "HTTP/1.0 "+status+" "+Zotero.Server.responseCodes[status]+"\r\n";
- if(!Zotero.isServer) {
+
+ // Translation server
+ if (Zotero.isServer) {
+ // Add CORS headers if Origin header matches the allowed origins
+ if (this.origin) {
+ let allowedOrigins = Zotero.Prefs.get('httpServer.allowedOrigins')
+ .split(/, */).filter(x => x);
+ let allAllowed = allowedOrigins.includes('*');
+ if (allAllowed || allowedOrigins.includes(this.origin)) {
+ response += "Access-Control-Allow-Origin: " + (allAllowed ? '*' : this.origin) + "\r\n";
+ response += "Access-Control-Allow-Methods: POST, GET, OPTIONS\r\n";
+ response += "Access-Control-Allow-Headers: Content-Type\r\n";
+ }
+ }
+ }
+ // Client
+ else {
response += "X-Zotero-Version: "+Zotero.version+"\r\n";
response += "X-Zotero-Connector-API-Version: "+CONNECTOR_API_VERSION+"\r\n";
- if(this.origin === ZOTERO_CONFIG.BOOKMARKLET_ORIGIN ||
+
+ if (this.origin === ZOTERO_CONFIG.BOOKMARKLET_ORIGIN ||
this.origin === ZOTERO_CONFIG.HTTP_BOOKMARKLET_ORIGIN) {
- response += "Access-Control-Allow-Origin: "+this.origin+"\r\n";
+ response += "Access-Control-Allow-Origin: " + this.origin + "\r\n";
response += "Access-Control-Allow-Methods: POST, GET, OPTIONS\r\n";
response += "Access-Control-Allow-Headers: Content-Type,X-Zotero-Connector-API-Version,X-Zotero-Version\r\n";
}
