added support for CORS HTTP headers

Michael Bumann · Michael Bumann · commit c41e5555b14a · 2015-08-28T10:14:53.000+02:00
Sets the Cross-Origin Resource Sharing (CORS) headers in a global express middleware.
This option is configurable and disabled by default.

To enable CORS use the following config entry:

[http]
cors: true
diff --git a/src/lib/config.coffee b/src/lib/config.coffee
@@ -76,6 +76,7 @@ module.exports = (dnschain) ->
             internalTLSPort: 2500   # Not accessible from the internet, used internally only
             internalAdminPort: 3000 # Not accessible from the internet, used internally only
             host: '0.0.0.0' # what we bind to. 0.0.0.0 for the whole internet
+            cors: false
         redis:
             socket: '127.0.0.1:6379' # or UNIX domain socket path
             oldDNS:
diff --git a/src/lib/http.coffee b/src/lib/http.coffee
@@ -25,6 +25,13 @@ module.exports = (dnschain) ->
             @rateLimiting = gConf.get 'rateLimiting:http'
             app = express()
 
+            if gConf.get('http:cors')
+              @log.warn "Enabling CORS HTTP headers"
+              app.use (req, res, next) =>
+                res.header "Access-Control-Allow-Origin", "*"
+                res.header "Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept"
+                next()
+            
             # Openname spec defined here:
             # - https://github.com/okTurtles/openname-specifications/blob/resolvers/resolvers.md
             # - https://github.com/openname/openname-specifications/blob/master/resolvers.md
diff --git a/test/https.coffee b/test/https.coffee
@@ -66,6 +66,12 @@ describe 'https', ->
             console.info "Result: #{stdout}".bold
             stdout.should.containEql data
 
+    it 'should disable CORS by default', ->
+        getAsync("http://localhost:#{gConf.get 'http:port'}/v1/namecoin/key/d%2Fokturtles").then (res) ->
+            assert.equal(gConf.get('http:cors'), false)
+            assert.equal(res.header['access-control-allow-headers'], undefined)
+            assert.equal(res.header['access-control-allow-origin'], undefined)
+
     it 'should shutdown successfully', ->
         server.shutdown() # returns a promise. Mocha should handle that properly
 
