Commit 35bffe85 authored by Cédric Le Ninivin's avatar Cédric Le Ninivin

ERP5Security: JWT always set CORS Headers

parent 06f21399
...@@ -113,8 +113,9 @@ class ERP5JSONWebTokenPlugin(BasePlugin): ...@@ -113,8 +113,9 @@ class ERP5JSONWebTokenPlugin(BasePlugin):
if login_pw is not None: if login_pw is not None:
creds[ 'login' ], creds[ 'password' ] = login_pw creds[ 'login' ], creds[ 'password' ] = login_pw
else: else:
# SameSite Policy is implemented serverside
origin = request.getHeader("Origin", None) origin = request.getHeader("Origin", None)
# SameSite Policy is implemented serverside
if origin is None: if origin is None:
referer_url = request.getHeader("Referer", None) referer_url = request.getHeader("Referer", None)
if referer_url is not None: if referer_url is not None:
...@@ -127,6 +128,22 @@ class ERP5JSONWebTokenPlugin(BasePlugin): ...@@ -127,6 +128,22 @@ class ERP5JSONWebTokenPlugin(BasePlugin):
cookie = self.same_site_cookie cookie = self.same_site_cookie
origin = None origin = None
else: else:
# Always allow CORS when credentials are not in the request
request.response.setHeader("Access-Control-Allow-Credentials", "true")
request.response.setHeader(
"Access-Control-Allow-Headers",
"Origin, X-Requested-With, Content-Type, Accept"
)
request.response.setHeader(
"Access-Control-Allow-Methods",
"GET, OPTIONS, HEAD, DELETE, PUT, POST"
)
request.response.setHeader("Access-Control-Allow-Origin", origin)
request.response.setHeader(
"Access-Control-Expose-Headers",
"Content-Type, Content-Length, WWW-Authenticate, X-Location"
)
# For CORS use a different token
cookie = self.cors_cookie cookie = self.cors_cookie
token = request.cookies.get(cookie) token = request.cookies.get(cookie)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment