diff --git a/core-server/server/server.js b/core-server/server/server.js index e1741d08b..b82f6307b 100644 --- a/core-server/server/server.js +++ b/core-server/server/server.js @@ -42,6 +42,8 @@ function Server(options) { } // Setup the default required plugins this.requiredPlugins = this.get("required-plugins").split(','); + // Initialise CORS + this.corsEnable = this.get("cors-enable") === "yes"; // Initialise CSRF this.csrfDisable = this.get("csrf-disable") === "yes"; // Initialize Gzip compression @@ -261,6 +263,13 @@ Server.prototype.requestHandler = function(request,response,options) { state.urlInfo = url.parse(request.url); state.queryParameters = querystring.parse(state.urlInfo.query); state.pathPrefix = options.pathPrefix || this.get("path-prefix") || ""; + // Enable CORS + if(this.corsEnable) { + response.setHeader("Access-Control-Allow-Origin", "*"); + response.setHeader("Access-Control-Allow-Headers", "*"); + response.setHeader("Access-Control-Allow-Methods", "*"); + response.setHeader("Access-Control-Expose-Headers", "*"); + } state.sendResponse = sendResponse.bind(self,request,response); // Get the principals authorized to access this resource state.authorizationType = options.authorizationType || this.methodMappings[request.method] || "readers"; @@ -285,6 +294,12 @@ Server.prototype.requestHandler = function(request,response,options) { response.end(); return; } + // Reply to OPTIONS + if(this.corsEnable && request.method === "OPTIONS") { + response.writeHead(204); + response.end(); + return; + } // Find the route that matches this path var route = self.findMatchingRoute(request,state); // Optionally output debug info diff --git a/editions/tw5.com/tiddlers/releasenotes/5.4.0/#9277.tid b/editions/tw5.com/tiddlers/releasenotes/5.4.0/#9277.tid new file mode 100644 index 000000000..9b39e16e7 --- /dev/null +++ b/editions/tw5.com/tiddlers/releasenotes/5.4.0/#9277.tid @@ -0,0 +1,10 @@ +title: $:/changenotes/5.4.0/#9277 +description: Added an option to enable CORS +release: 5.4.0 +tags: $:/tags/ChangeNote +change-type: feature +change-category: developer +github-links: https://github.com/TiddlyWiki/TiddlyWiki5/pull/9277 +github-contributors: kixam + +Added an option to the TiddlyWiki5 server to enable CORS (ie. don't check `same-origin`). It is meant for advanced users, do not use it unless you understand the full consequences.