From c3c87537a0aa76e4a15f084931eae3f2973f1bd6 Mon Sep 17 00:00:00 2001
From: murtaza98 <murtaza.patrawala@rocket.chat>
Date: Thu, 1 Apr 2021 18:07:01 +0530
Subject: [PATCH 1/5] Fixes #21033 - Fix CORS error while interacting with any
 action buttons on Livechat

---
 app/apps/server/communication/uikit.js | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/app/apps/server/communication/uikit.js b/app/apps/server/communication/uikit.js
index 3010447e93051..9c07ff0b97681 100644
--- a/app/apps/server/communication/uikit.js
+++ b/app/apps/server/communication/uikit.js
@@ -1,4 +1,5 @@
 import express from 'express';
+import cors from 'cors';
 import rateLimit from 'express-rate-limit';
 import { Meteor } from 'meteor/meteor';
 import { WebApp } from 'meteor/webapp';
@@ -14,6 +15,25 @@ const apiServer = express();
 
 apiServer.disable('x-powered-by');
 
+if (settings.get('API_Enable_CORS')) {
+	const CORSOriginSetting = settings.get('API_CORS_Origin');
+
+	const whitelistOrigins = CORSOriginSetting
+		.trim()
+		.split(',')
+		.map((origin) => String(origin).trim().toLocaleLowerCase());
+
+	apiServer.use(cors({
+		origin: (origin, callback) => {
+			if (CORSOriginSetting === '*' || whitelistOrigins.includes(origin) || !origin) {
+				callback(null, true);
+			} else {
+				callback(new Error('Not allowed by CORS'));
+			}
+		},
+	}));
+}
+
 WebApp.connectHandlers.use(apiServer);
 
 // eslint-disable-next-line new-cap

From ba46d7fb3df3ef8e5d808a05d79fde2593bf708c Mon Sep 17 00:00:00 2001
From: Murtaza Patrawala <34130764+murtaza98@users.noreply.github.com>
Date: Mon, 5 Apr 2021 19:27:29 +0530
Subject: [PATCH 2/5] Update uikit.js

---
 app/apps/server/communication/uikit.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/apps/server/communication/uikit.js b/app/apps/server/communication/uikit.js
index 9c07ff0b97681..f55ade86d4950 100644
--- a/app/apps/server/communication/uikit.js
+++ b/app/apps/server/communication/uikit.js
@@ -18,14 +18,14 @@ apiServer.disable('x-powered-by');
 if (settings.get('API_Enable_CORS')) {
 	const CORSOriginSetting = settings.get('API_CORS_Origin');
 
-	const whitelistOrigins = CORSOriginSetting
+	const allowlistOrigins = CORSOriginSetting
 		.trim()
 		.split(',')
 		.map((origin) => String(origin).trim().toLocaleLowerCase());
 
 	apiServer.use(cors({
 		origin: (origin, callback) => {
-			if (CORSOriginSetting === '*' || whitelistOrigins.includes(origin) || !origin) {
+			if (CORSOriginSetting === '*' || allowlistOrigins.includes(origin) || !origin) {
 				callback(null, true);
 			} else {
 				callback(new Error('Not allowed by CORS'));

From 1a2dc751caffb8a14788e8be2c1cbd59c573ef77 Mon Sep 17 00:00:00 2001
From: Murtaza Patrawala <34130764+murtaza98@users.noreply.github.com>
Date: Sun, 11 Apr 2021 17:04:14 +0530
Subject: [PATCH 3/5] Auto Refresh settings

---
 app/apps/server/communication/uikit.js | 37 +++++++++++++-------------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/app/apps/server/communication/uikit.js b/app/apps/server/communication/uikit.js
index f55ade86d4950..fdfa8fdb4d3c6 100644
--- a/app/apps/server/communication/uikit.js
+++ b/app/apps/server/communication/uikit.js
@@ -15,24 +15,25 @@ const apiServer = express();
 
 apiServer.disable('x-powered-by');
 
-if (settings.get('API_Enable_CORS')) {
-	const CORSOriginSetting = settings.get('API_CORS_Origin');
-
-	const allowlistOrigins = CORSOriginSetting
-		.trim()
-		.split(',')
-		.map((origin) => String(origin).trim().toLocaleLowerCase());
-
-	apiServer.use(cors({
-		origin: (origin, callback) => {
-			if (CORSOriginSetting === '*' || allowlistOrigins.includes(origin) || !origin) {
-				callback(null, true);
-			} else {
-				callback(new Error('Not allowed by CORS'));
-			}
-		},
-	}));
-}
+let corsEnabled = false;
+let allowlistOrigins = [];
+
+settings.get('API_Enable_CORS', (_, value) => { corsEnabled = value; });
+
+settings.get('API_CORS_Origin', (_, value) => {
+	allowlistOrigins = value ? value.trim().split(',').map((origin) => String(origin).trim().toLocaleLowerCase()) : [];
+});
+
+apiServer.use(cors({
+	origin: (origin, callback) => {
+		if (!origin || (corsEnabled && (allowlistOrigins.includes('*') || allowlistOrigins.includes(origin)))) {
+			callback(null, true);
+		} else {
+			callback('Not allowed by CORS', false);
+		}
+	},
+}));
+
 
 WebApp.connectHandlers.use(apiServer);
 

From ab1add3a94c1a5b8f20416acec17c2cdc7828ffa Mon Sep 17 00:00:00 2001
From: Murtaza Patrawala <34130764+murtaza98@users.noreply.github.com>
Date: Tue, 20 Apr 2021 01:18:01 +0530
Subject: [PATCH 4/5] Fix same origin issue

---
 app/apps/server/communication/uikit.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/apps/server/communication/uikit.js b/app/apps/server/communication/uikit.js
index fdfa8fdb4d3c6..1e3f9b8371e0e 100644
--- a/app/apps/server/communication/uikit.js
+++ b/app/apps/server/communication/uikit.js
@@ -16,17 +16,17 @@ const apiServer = express();
 apiServer.disable('x-powered-by');
 
 let corsEnabled = false;
-let allowlistOrigins = [];
+let allowListOrigins = [];
 
 settings.get('API_Enable_CORS', (_, value) => { corsEnabled = value; });
 
 settings.get('API_CORS_Origin', (_, value) => {
-	allowlistOrigins = value ? value.trim().split(',').map((origin) => String(origin).trim().toLocaleLowerCase()) : [];
+	allowListOrigins = value ? value.trim().split(',').map((origin) => String(origin).trim().toLocaleLowerCase()) : [];
 });
 
 apiServer.use(cors({
 	origin: (origin, callback) => {
-		if (!origin || (corsEnabled && (allowlistOrigins.includes('*') || allowlistOrigins.includes(origin)))) {
+		if (!origin || (corsEnabled && (allowListOrigins.includes('*') || allowListOrigins.includes(origin))) || origin === settings.get('Site_Url')) {
 			callback(null, true);
 		} else {
 			callback('Not allowed by CORS', false);

From 41344851dcc094c276f2353d5d2ad539e0269a11 Mon Sep 17 00:00:00 2001
From: Murtaza Patrawala <34130764+murtaza98@users.noreply.github.com>
Date: Mon, 24 May 2021 13:52:56 +0530
Subject: [PATCH 5/5] Fix cors disabled not working

---
 app/apps/server/communication/uikit.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/apps/server/communication/uikit.js b/app/apps/server/communication/uikit.js
index 1e3f9b8371e0e..0743cfbc00af9 100644
--- a/app/apps/server/communication/uikit.js
+++ b/app/apps/server/communication/uikit.js
@@ -26,7 +26,7 @@ settings.get('API_CORS_Origin', (_, value) => {
 
 apiServer.use(cors({
 	origin: (origin, callback) => {
-		if (!origin || (corsEnabled && (allowListOrigins.includes('*') || allowListOrigins.includes(origin))) || origin === settings.get('Site_Url')) {
+		if (!origin || !corsEnabled || (corsEnabled && (allowListOrigins.includes('*') || allowListOrigins.includes(origin))) || origin === settings.get('Site_Url')) {
 			callback(null, true);
 		} else {
 			callback('Not allowed by CORS', false);