Commit ab0c617c authored by Xiaowu Zhang's avatar Xiaowu Zhang

erp5_hal_json_style: only allow officejs applications

parent 480b4e2c
...@@ -2,8 +2,12 @@ from zExceptions import Unauthorized ...@@ -2,8 +2,12 @@ from zExceptions import Unauthorized
if REQUEST is not None: if REQUEST is not None:
raise Unauthorized raise Unauthorized
origin = context.Base_getRequestHeader("Origin")
if not origin or not (origin.endswith(".app.officejs.com") or origin.endswith(".app.officejs.cn")):
return
RESPONSE.setHeader("Access-Control-Allow-Credentials", "true") RESPONSE.setHeader("Access-Control-Allow-Credentials", "true")
RESPONSE.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept") RESPONSE.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")
RESPONSE.setHeader("Access-Control-Allow-Methods", "GET, OPTIONS, HEAD, DELETE, PUT, POST") RESPONSE.setHeader("Access-Control-Allow-Methods", "GET, OPTIONS, HEAD, DELETE, PUT, POST")
RESPONSE.setHeader("Access-Control-Allow-Origin", context.Base_getRequestHeader("Origin")) RESPONSE.setHeader("Access-Control-Allow-Origin", origin)
RESPONSE.setHeader("Access-Control-Expose-Headers", "Content-Type, Content-Length, WWW-Authenticate, X-Location") RESPONSE.setHeader("Access-Control-Expose-Headers", "Content-Type, Content-Length, WWW-Authenticate, X-Location")
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment