erp5_hal_json_style: customize cors setting

e259fba2 · Xiaowu Zhang · 54c2a368 · e259fba2
Commit e259fba2 authored Oct 16, 2019 by Xiaowu Zhang
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/Base_prepareCorsResponse.py ...tal_skins/erp5_hal_json_style/Base_prepareCorsResponse.py +4 -1

No files found.
--- a/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/Base_prepareCorsResponse.py
+++ b/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/Base_prepareCorsResponse.py
@@ -2,8 +2,11 @@ from zExceptions import Unauthorized
 if REQUEST is not None:
  raise Unauthorized

+origin = context.Base_getRequestHeader("Origin")
+if not origin or not (origin.endswith(".app.officejs.com") or origin.endswith(".app.officejs.cn") or origin.endswith(".host.vifib.net") or origin.endswith(".node.vifib.com")):
+  return
 RESPONSE.setHeader("Access-Control-Allow-Credentials", "true")
 RESPONSE.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")
 RESPONSE.setHeader("Access-Control-Allow-Methods", "GET, OPTIONS, HEAD, DELETE, PUT, POST")
-RESPONSE.setHeader("Access-Control-Allow-Origin", context.Base_getRequestHeader("Origin"))
+RESPONSE.setHeader("Access-Control-Allow-Origin", origin)
 RESPONSE.setHeader("Access-Control-Expose-Headers", "Content-Type, Content-Length, WWW-Authenticate, X-Location")