Commit 84185eec authored by Wandenberg Peixoto's avatar Wandenberg Peixoto

not sending the access control headers by default, send only when the...

not sending the access control headers by default, send only when the allowed_origins directive is set
parent 8a23634a
......@@ -43,7 +43,7 @@ static time_t NGX_HTTP_PUSH_STREAM_DEFAULT_MESSAGE_TTL = 1800
#define NGX_HTTP_PUSH_STREAM_DEFAULT_MESSAGE_TEMPLATE "~text~"
#define NGX_HTTP_PUSH_STREAM_DEFAULT_FOOTER_TEMPLATE ""
#define NGX_HTTP_PUSH_STREAM_DEFAULT_ALLOWED_ORIGINS "*"
#define NGX_HTTP_PUSH_STREAM_DEFAULT_ALLOWED_ORIGINS ""
#define NGX_HTTP_PUSH_STREAM_DEFAULT_PADDING_BY_USER_AGENT "[A|a]ndroid 2,4097,4097:[S|s]afari,1025,0"
......
......@@ -341,34 +341,38 @@ describe "Publisher Properties" do
end
end
it "should set a default access control allow orgin header" do
channel = 'test_default_access_control_allow_origin_header'
it "should not receive acess control allow headers by default" do
channel = 'test_access_control_allow_headers'
nginx_run_server(config) do |conf|
EventMachine.run do
pub = EventMachine::HttpRequest.new(nginx_address + '/pub?id=' + channel).get :head => headers
pub.callback do
pub.response_header['ACCESS_CONTROL_ALLOW_ORIGIN'].should eql("*")
pub.response_header['ACCESS_CONTROL_ALLOW_ORIGIN'].should be_nil
EventMachine.stop
end
end
end
end
it "should set a custom access control allow orgin header" do
channel = 'test_custom_access_control_allow_origin_header'
context "when allow origin directive is set" do
it "should receive acess control allow headers" do
channel = 'test_access_control_allow_headers'
nginx_run_server(config.merge(:allowed_origins => "custom.domain.com")) do |conf|
EventMachine.run do
pub = EventMachine::HttpRequest.new(nginx_address + '/pub?id=' + channel).get :head => headers
pub.callback do
pub.response_header['ACCESS_CONTROL_ALLOW_ORIGIN'].should eql("custom.domain.com")
EventMachine.stop
end
end
end
end
end
end
context "when is on normal mode" do
let(:config) do
......
......@@ -819,16 +819,16 @@ describe "Subscriber Properties" do
end
end
it "should receive acess control allow headers" do
it "should not receive acess control allow headers by default" do
channel = 'test_access_control_allow_headers'
nginx_run_server(config) do |conf|
EventMachine.run do
sub_1 = EventMachine::HttpRequest.new(nginx_address + '/sub/' + channel.to_s).get :head => headers
sub_1.stream do |chunk|
sub_1.response_header['ACCESS_CONTROL_ALLOW_ORIGIN'].should eql("*")
sub_1.response_header['ACCESS_CONTROL_ALLOW_METHODS'].should eql("GET")
sub_1.response_header['ACCESS_CONTROL_ALLOW_HEADERS'].should eql("If-Modified-Since,If-None-Match")
sub_1.response_header['ACCESS_CONTROL_ALLOW_ORIGIN'].should be_nil
sub_1.response_header['ACCESS_CONTROL_ALLOW_METHODS'].should be_nil
sub_1.response_header['ACCESS_CONTROL_ALLOW_HEADERS'].should be_nil
EventMachine.stop
end
......@@ -836,34 +836,24 @@ describe "Subscriber Properties" do
end
end
it "should set a default access control allow orgin header" do
channel = 'test_default_access_control_allow_origin_header'
nginx_run_server(config) do |conf|
EventMachine.run do
sub_1 = EventMachine::HttpRequest.new(nginx_address + '/sub/' + channel.to_s).get :head => headers
sub_1.stream do |chunk|
sub_1.response_header['ACCESS_CONTROL_ALLOW_ORIGIN'].should eql("*")
EventMachine.stop
end
end
end
end
it "should set a custom access control allow orgin header" do
channel = 'test_custom_access_control_allow_origin_header'
context "when allow origin directive is set" do
it "should receive acess control allow headers" do
channel = 'test_access_control_allow_headers'
nginx_run_server(config.merge(:allowed_origins => "custom.domain.com")) do |conf|
EventMachine.run do
sub_1 = EventMachine::HttpRequest.new(nginx_address + '/sub/' + channel.to_s).get :head => headers
sub_1.stream do |chunk|
sub_1.response_header['ACCESS_CONTROL_ALLOW_ORIGIN'].should eql("custom.domain.com")
sub_1.response_header['ACCESS_CONTROL_ALLOW_METHODS'].should eql("GET")
sub_1.response_header['ACCESS_CONTROL_ALLOW_HEADERS'].should eql("If-Modified-Since,If-None-Match")
EventMachine.stop
end
end
end
end
end
it "should receive the configured header template" do
channel = 'ch_test_header_template'
......
......@@ -37,7 +37,9 @@ ngx_http_push_stream_publisher_handler(ngx_http_request_t *r)
r->keepalive = cf->keepalive;
if (cf->allowed_origins.len > 0) {
ngx_http_push_stream_add_response_header(r, &NGX_HTTP_PUSH_STREAM_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, &cf->allowed_origins);
}
// only accept GET, POST and DELETE methods if enable publisher administration
if ((cf->location_type == NGX_HTTP_PUSH_STREAM_PUBLISHER_MODE_ADMIN) && !(r->method & (NGX_HTTP_GET|NGX_HTTP_POST|NGX_HTTP_DELETE))) {
......
......@@ -53,9 +53,11 @@ ngx_http_push_stream_subscriber_handler(ngx_http_request_t *r)
ngx_str_t *explain_error_message;
// add headers to support cross domain requests
if (cf->allowed_origins.len > 0) {
ngx_http_push_stream_add_response_header(r, &NGX_HTTP_PUSH_STREAM_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, &cf->allowed_origins);
ngx_http_push_stream_add_response_header(r, &NGX_HTTP_PUSH_STREAM_HEADER_ACCESS_CONTROL_ALLOW_METHODS, &NGX_HTTP_PUSH_STREAM_ALLOW_GET);
ngx_http_push_stream_add_response_header(r, &NGX_HTTP_PUSH_STREAM_HEADER_ACCESS_CONTROL_ALLOW_HEADERS, &NGX_HTTP_PUSH_STREAM_ALLOWED_HEADERS);
}
if (r->method & NGX_HTTP_OPTIONS) {
return ngx_http_push_stream_send_only_header_response(r, NGX_HTTP_OK, NULL);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment