Relaxed CORS restriction from /api/ endpoint, see #46 (#47)

Now cross-site xhr-requests can work inside browser(by scripts or extensions) even if the authentication is enabled. Tested on an extension which uses /api/ endpoint with authentication feature and solves [https://github.com/ketankr9/cloud-torrent-extension/issues/1#issuecomment-570915569](https://github.com/ketankr9/cloud-torrent-extension/issues/1#issuecomment-570915569) Note: CORS only affects webHandle Co-authored-by: Preston <[email protected]>
boypt · Jul 21, 2021 · 732e936 · 732e936
1 parent 1cc6068
commit 732e936
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/server/server_http.go b/server/server_http.go
@@ -52,7 +52,12 @@ func (s *Server) webHandle(w http.ResponseWriter, r *http.Request) {
 	case "search":
 		s.scraperh.ServeHTTP(w, r)
 	case "api":
-		w.Header().Set("Access-Control-Allow-Headers", "authorization")
+		origin := r.Header.Get("Origin")
+		if origin == "" {
+			origin = "*"
+		}
+		w.Header().Set("Access-Control-Allow-Origin", origin)
+		w.Header().Set("Access-Control-Allow-Credentials", "true")
 		s.restAPIhandle(w, r)
 	case "download":
 		s.dlfilesh.ServeHTTP(w, r)
@@ -67,7 +72,6 @@ func (s *Server) webHandle(w http.ResponseWriter, r *http.Request) {
 
 // restAPIhandle is used both by main webserver and restapi server
 func (s *Server) restAPIhandle(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Access-Control-Allow-Origin", "*")
 	switch r.Method {
 	case "POST":
 		if err := s.apiPOST(r); err != nil {