not sending the access control headers by default, send only when the...

not sending the access control headers by default, send only when the allowed_origins directive is set

include/ngx_http_push_stream_module_setup.h

@@ -43,7 +43,7 @@ static time_t NGX_HTTP_PUSH_STREAM_DEFAULT_MESSAGE_TTL                    = 1800
 #define NGX_HTTP_PUSH_STREAM_DEFAULT_MESSAGE_TEMPLATE "~text~"
 #define NGX_HTTP_PUSH_STREAM_DEFAULT_FOOTER_TEMPLATE  ""
 
-#define NGX_HTTP_PUSH_STREAM_DEFAULT_ALLOWED_ORIGINS  "*"
+#define NGX_HTTP_PUSH_STREAM_DEFAULT_ALLOWED_ORIGINS  ""
 
 #define NGX_HTTP_PUSH_STREAM_DEFAULT_PADDING_BY_USER_AGENT  "[A|a]ndroid 2,4097,4097:[S|s]afari,1025,0"
 

misc/spec/publisher/properties_spec.rb

@@ -341,29 +341,33 @@ describe "Publisher Properties" do
       end
     end
 
-    it "should set a default access control allow orgin header" do
-      channel = 'test_default_access_control_allow_origin_header'
+    it "should not receive acess control allow headers by default" do
+      channel = 'test_access_control_allow_headers'
 
       nginx_run_server(config) do |conf|
         EventMachine.run do
           pub = EventMachine::HttpRequest.new(nginx_address + '/pub?id=' + channel).get :head => headers
           pub.callback do
-            pub.response_header['ACCESS_CONTROL_ALLOW_ORIGIN'].should eql("*")
+            pub.response_header['ACCESS_CONTROL_ALLOW_ORIGIN'].should be_nil
+
             EventMachine.stop
           end
         end
       end
     end
 
-    it "should set a custom access control allow orgin header" do
-      channel = 'test_custom_access_control_allow_origin_header'
+    context "when allow origin directive is set" do
+      it "should receive acess control allow headers" do
+        channel = 'test_access_control_allow_headers'
 
-      nginx_run_server(config.merge(:allowed_origins => "custom.domain.com")) do |conf|
-        EventMachine.run do
-          pub = EventMachine::HttpRequest.new(nginx_address + '/pub?id=' + channel).get :head => headers
-          pub.callback do
-            pub.response_header['ACCESS_CONTROL_ALLOW_ORIGIN'].should eql("custom.domain.com")
-            EventMachine.stop
+        nginx_run_server(config.merge(:allowed_origins => "custom.domain.com")) do |conf|
+          EventMachine.run do
+            pub = EventMachine::HttpRequest.new(nginx_address + '/pub?id=' + channel).get :head => headers
+            pub.callback do
+              pub.response_header['ACCESS_CONTROL_ALLOW_ORIGIN'].should eql("custom.domain.com")
+
+              EventMachine.stop
+            end
           end
         end
       end

misc/spec/subscriber/properties_spec.rb

@@ -819,16 +819,16 @@ describe "Subscriber Properties" do
     end
   end
 
-  it "should receive acess control allow headers" do
+  it "should not receive acess control allow headers by default" do
     channel = 'test_access_control_allow_headers'
 
     nginx_run_server(config) do |conf|
       EventMachine.run do
         sub_1 = EventMachine::HttpRequest.new(nginx_address + '/sub/' + channel.to_s).get :head => headers
         sub_1.stream do |chunk|
-          sub_1.response_header['ACCESS_CONTROL_ALLOW_ORIGIN'].should eql("*")
-          sub_1.response_header['ACCESS_CONTROL_ALLOW_METHODS'].should eql("GET")
-          sub_1.response_header['ACCESS_CONTROL_ALLOW_HEADERS'].should eql("If-Modified-Since,If-None-Match")
+          sub_1.response_header['ACCESS_CONTROL_ALLOW_ORIGIN'].should be_nil
+          sub_1.response_header['ACCESS_CONTROL_ALLOW_METHODS'].should be_nil
+          sub_1.response_header['ACCESS_CONTROL_ALLOW_HEADERS'].should be_nil
 
           EventMachine.stop
         end
@@ -836,30 +836,20 @@ describe "Subscriber Properties" do
     end
   end
 
-  it "should set a default access control allow orgin header" do
-    channel = 'test_default_access_control_allow_origin_header'
+  context "when allow origin directive is set" do
+    it "should receive acess control allow headers" do
+      channel = 'test_access_control_allow_headers'
 
-    nginx_run_server(config) do |conf|
-      EventMachine.run do
-        sub_1 = EventMachine::HttpRequest.new(nginx_address + '/sub/' + channel.to_s).get :head => headers
-        sub_1.stream do |chunk|
-          sub_1.response_header['ACCESS_CONTROL_ALLOW_ORIGIN'].should eql("*")
-
-          EventMachine.stop
-        end
-      end
-    end
-  end
-
-  it "should set a custom access control allow orgin header" do
-    channel = 'test_custom_access_control_allow_origin_header'
+      nginx_run_server(config.merge(:allowed_origins => "custom.domain.com")) do |conf|
+        EventMachine.run do
+          sub_1 = EventMachine::HttpRequest.new(nginx_address + '/sub/' + channel.to_s).get :head => headers
+          sub_1.stream do |chunk|
+            sub_1.response_header['ACCESS_CONTROL_ALLOW_ORIGIN'].should eql("custom.domain.com")
+            sub_1.response_header['ACCESS_CONTROL_ALLOW_METHODS'].should eql("GET")
+            sub_1.response_header['ACCESS_CONTROL_ALLOW_HEADERS'].should eql("If-Modified-Since,If-None-Match")
 
-    nginx_run_server(config.merge(:allowed_origins => "custom.domain.com")) do |conf|
-      EventMachine.run do
-        sub_1 = EventMachine::HttpRequest.new(nginx_address + '/sub/' + channel.to_s).get :head => headers
-        sub_1.stream do |chunk|
-          sub_1.response_header['ACCESS_CONTROL_ALLOW_ORIGIN'].should eql("custom.domain.com")
-          EventMachine.stop
+            EventMachine.stop
+          end
         end
       end
     end

src/ngx_http_push_stream_module_publisher.c

@@ -37,7 +37,9 @@ ngx_http_push_stream_publisher_handler(ngx_http_request_t *r)
 
     r->keepalive = cf->keepalive;
 
-    ngx_http_push_stream_add_response_header(r, &NGX_HTTP_PUSH_STREAM_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, &cf->allowed_origins);
+    if (cf->allowed_origins.len > 0) {
+        ngx_http_push_stream_add_response_header(r, &NGX_HTTP_PUSH_STREAM_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, &cf->allowed_origins);
+    }
 
     // only accept GET, POST and DELETE methods if enable publisher administration
     if ((cf->location_type == NGX_HTTP_PUSH_STREAM_PUBLISHER_MODE_ADMIN) && !(r->method & (NGX_HTTP_GET|NGX_HTTP_POST|NGX_HTTP_DELETE))) {

src/ngx_http_push_stream_module_subscriber.c

@@ -53,9 +53,11 @@ ngx_http_push_stream_subscriber_handler(ngx_http_request_t *r)
     ngx_str_t                                      *explain_error_message;
 
     // add headers to support cross domain requests
-    ngx_http_push_stream_add_response_header(r, &NGX_HTTP_PUSH_STREAM_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, &cf->allowed_origins);
-    ngx_http_push_stream_add_response_header(r, &NGX_HTTP_PUSH_STREAM_HEADER_ACCESS_CONTROL_ALLOW_METHODS, &NGX_HTTP_PUSH_STREAM_ALLOW_GET);
-    ngx_http_push_stream_add_response_header(r, &NGX_HTTP_PUSH_STREAM_HEADER_ACCESS_CONTROL_ALLOW_HEADERS, &NGX_HTTP_PUSH_STREAM_ALLOWED_HEADERS);
+    if (cf->allowed_origins.len > 0) {
+        ngx_http_push_stream_add_response_header(r, &NGX_HTTP_PUSH_STREAM_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, &cf->allowed_origins);
+        ngx_http_push_stream_add_response_header(r, &NGX_HTTP_PUSH_STREAM_HEADER_ACCESS_CONTROL_ALLOW_METHODS, &NGX_HTTP_PUSH_STREAM_ALLOW_GET);
+        ngx_http_push_stream_add_response_header(r, &NGX_HTTP_PUSH_STREAM_HEADER_ACCESS_CONTROL_ALLOW_HEADERS, &NGX_HTTP_PUSH_STREAM_ALLOWED_HEADERS);
+    }
 
     if (r->method & NGX_HTTP_OPTIONS) {
         return ngx_http_push_stream_send_only_header_response(r, NGX_HTTP_OK, NULL);