liquid_feedback_frontend
annotate app/main/http_options.lua @ 1494:3e9b0f1adec3
Removed token based CSRF protection (WebMCP uses SameSite cookies now)
| author | bsw |
|---|---|
| date | Mon Dec 09 15:54:57 2019 +0100 (2019-12-09) |
| parents | 32cc544d5a5b |
| children | 26a1ed6bc9df |
| rev | line source |
|---|---|
| bsw/jbe@1309 | 1 -- TODO workaround, needs to be resolved in WebMCP's request.handler |
| bsw/jbe@1309 | 2 if not request._route then |
| bsw/jbe@1309 | 3 return |
| bsw/jbe@1309 | 4 end |
| bsw/jbe@1309 | 5 |
| bsw/jbe@1309 | 6 if request.get_module() == "oauth2" and request.get_view() == "session" then |
| bsw/jbe@1309 | 7 local origin = request.get_header("Origin") |
| bsw/jbe@1309 | 8 if origin then |
| bsw/jbe@1309 | 9 request.add_header("Access-Control-Allow-Origin", origin) |
| bsw/jbe@1309 | 10 end |
| bsw/jbe@1309 | 11 request.add_header("Access-Control-Allow-Credentials", "true") |
| bsw/jbe@1309 | 12 request.add_header("Access-Control-Max-Age", "0") |
| bsw/jbe@1309 | 13 else |
| bsw/jbe@1309 | 14 request.add_header("Access-Control-Allow-Origin", "*") |
| bsw/jbe@1309 | 15 end |
| bsw/jbe@1309 | 16 |
| bsw/jbe@1309 | 17 request.add_header("Access-Control-Allow-Headers", "Authorization") |