github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-14 03:52:49 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

DEV: apply allow origin response header for CDN requests. (#11893)

Browse Source 
Currently, it creates a CORS error while accessing those static files.
This commit is contained in:
Vinoth Kannan
2021-01-29 07:44:49 +05:30
committed by GitHub
parent 4af4d36175
commit a5923ad603
12 changed files with 62 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/application_controller.rb
View File

@ -680,6 +680,10 @@ class ApplicationController < ActionController::Base
raise ApplicationController::RenderEmpty.new unless ((request.format && request.format.json?) || request.xhr?) raise ApplicationController::RenderEmpty.new unless ((request.format && request.format.json?) || request.xhr?)
end end
def apply_cdn_headers
Discourse.apply_cdn_headers(response.headers) if Discourse.is_cdn_request?(request.env, request.method)
end
def self.requires_login(arg = {}) def self.requires_login(arg = {})
@requires_login_arg = arg @requires_login_arg = arg
end end

2
app/controllers/highlight_js_controller.rb
View File

@ -3,6 +3,8 @@
class HighlightJsController < ApplicationController class HighlightJsController < ApplicationController
skip_before_action :preload_json, :redirect_to_login_if_required, :check_xhr, :verify_authenticity_token, only: [:show] skip_before_action :preload_json, :redirect_to_login_if_required, :check_xhr, :verify_authenticity_token, only: [:show]
before_action :apply_cdn_headers, only: [:show]
def show def show
no_cookies no_cookies

2
app/controllers/static_controller.rb
View File

@ -7,6 +7,8 @@ class StaticController < ApplicationController
skip_before_action :preload_json, only: [:brotli_asset, :cdn_asset, :enter, :favicon, :service_worker_asset] skip_before_action :preload_json, only: [:brotli_asset, :cdn_asset, :enter, :favicon, :service_worker_asset]
skip_before_action :handle_theme, only: [:brotli_asset, :cdn_asset, :enter, :favicon, :service_worker_asset] skip_before_action :handle_theme, only: [:brotli_asset, :cdn_asset, :enter, :favicon, :service_worker_asset]
before_action :apply_cdn_headers, only: [:brotli_asset, :cdn_asset, :enter, :favicon, :service_worker_asset]
PAGES_WITH_EMAIL_PARAM = ['login', 'password_reset', 'signup'] PAGES_WITH_EMAIL_PARAM = ['login', 'password_reset', 'signup']
MODAL_PAGES = ['password_reset', 'signup'] MODAL_PAGES = ['password_reset', 'signup']

2
app/controllers/stylesheets_controller.rb
View File

@ -3,6 +3,8 @@
class StylesheetsController < ApplicationController class StylesheetsController < ApplicationController
skip_before_action :preload_json, :redirect_to_login_if_required, :check_xhr, :verify_authenticity_token, only: [:show, :show_source_map, :color_scheme] skip_before_action :preload_json, :redirect_to_login_if_required, :check_xhr, :verify_authenticity_token, only: [:show, :show_source_map, :color_scheme]
before_action :apply_cdn_headers, only: [:show, :show_source_map, :color_scheme]
def show_source_map def show_source_map
show_resource(source_map: true) show_resource(source_map: true)
end end

2
app/controllers/svg_sprite_controller.rb
View File

@ -3,6 +3,8 @@
class SvgSpriteController < ApplicationController class SvgSpriteController < ApplicationController
skip_before_action :preload_json, :redirect_to_login_if_required, :check_xhr, :verify_authenticity_token, only: [:show, :search, :svg_icon] skip_before_action :preload_json, :redirect_to_login_if_required, :check_xhr, :verify_authenticity_token, only: [:show, :search, :svg_icon]
before_action :apply_cdn_headers, only: [:show, :search, :svg_icon]
requires_login except: [:show, :svg_icon] requires_login except: [:show, :svg_icon]
def show def show

2
app/controllers/theme_javascripts_controller.rb
View File

@ -11,7 +11,7 @@ class ThemeJavascriptsController < ApplicationController
only: [:show] only: [:show]
) )
before_action :is_asset_path, :no_cookies, only: [:show] before_action :is_asset_path, :no_cookies, :apply_cdn_headers, only: [:show]
def show def show
raise Discourse::NotFound unless last_modified.present? raise Discourse::NotFound unless last_modified.present?

2
app/controllers/uploads_controller.rb
View File

@ -8,7 +8,7 @@ class UploadsController < ApplicationController
skip_before_action :preload_json, :check_xhr, :redirect_to_login_if_required, only: [:show, :show_short, :show_secure] skip_before_action :preload_json, :check_xhr, :redirect_to_login_if_required, only: [:show, :show_short, :show_secure]
protect_from_forgery except: :show protect_from_forgery except: :show
before_action :is_asset_path, only: [:show, :show_short, :show_secure] before_action :is_asset_path, :apply_cdn_headers, only: [:show, :show_short, :show_secure]
SECURE_REDIRECT_GRACE_SECONDS = 5 SECURE_REDIRECT_GRACE_SECONDS = 5

2
app/controllers/user_avatars_controller.rb
View File

@ -4,6 +4,8 @@ class UserAvatarsController < ApplicationController
skip_before_action :preload_json, :redirect_to_login_if_required, :check_xhr, :verify_authenticity_token, only: [:show, :show_letter, :show_proxy_letter] skip_before_action :preload_json, :redirect_to_login_if_required, :check_xhr, :verify_authenticity_token, only: [:show, :show_letter, :show_proxy_letter]
before_action :apply_cdn_headers, only: [:show, :show_letter, :show_proxy_letter]
def refresh_gravatar def refresh_gravatar
user = User.find_by(username_lower: params[:username].downcase) user = User.find_by(username_lower: params[:username].downcase)
guardian.ensure_can_edit!(user) guardian.ensure_can_edit!(user)

11
config/initializers/008-rack-cors.rb
View File

@ -25,15 +25,18 @@ class Discourse::Cors
status, headers, body = @app.call(env) status, headers, body = @app.call(env)
headers ||= {} headers ||= {}
Discourse::Cors.apply_headers(cors_origins, env, headers) if cors_origins Discourse::Cors.apply_headers(cors_origins, env, headers)
[status, headers, body] [status, headers, body]
end end
def self.apply_headers(cors_origins, env, headers) def self.apply_headers(cors_origins, env, headers)
origin = nil request_method = env['REQUEST_METHOD']
if cors_origins if env['SCRIPT_NAME'] == "/assets" && Discourse.is_cdn_request?(env, request_method)
Discourse.apply_cdn_headers(headers)
elsif cors_origins
origin = nil
if origin = env['HTTP_ORIGIN'] if origin = env['HTTP_ORIGIN']
origin = nil unless cors_origins.include?(origin) origin = nil unless cors_origins.include?(origin)
end end
@ -48,6 +51,6 @@ class Discourse::Cors
end end
end end
if GlobalSetting.enable_cors if GlobalSetting.enable_cors || GlobalSetting.cdn_url
Rails.configuration.middleware.insert_before ActionDispatch::Flash, Discourse::Cors Rails.configuration.middleware.insert_before ActionDispatch::Flash, Discourse::Cors
end end

19
lib/discourse.rb
View File

@ -17,6 +17,7 @@ end
module Discourse module Discourse
DB_POST_MIGRATE_PATH ||= "db/post_migrate" DB_POST_MIGRATE_PATH ||= "db/post_migrate"
REQUESTED_HOSTNAME ||= "REQUESTED_HOSTNAME"
require 'sidekiq/exception_handler' require 'sidekiq/exception_handler'
class SidekiqExceptionHandler class SidekiqExceptionHandler
@ -917,6 +918,24 @@ module Discourse
def self.is_parallel_test? def self.is_parallel_test?
ENV['RAILS_ENV'] == "test" && ENV['TEST_ENV_NUMBER'] ENV['RAILS_ENV'] == "test" && ENV['TEST_ENV_NUMBER']
end end
CDN_REQUEST_METHODS ||= ["GET", "HEAD", "OPTIONS"]
def self.is_cdn_request?(env, request_method)
return unless CDN_REQUEST_METHODS.include?(request_method)
cdn_hostnames = GlobalSetting.cdn_hostnames
return if cdn_hostnames.blank?
requested_hostname = env[REQUESTED_HOSTNAME] || env[Rack::HTTP_HOST]
cdn_hostnames.include?(requested_hostname)
end
def self.apply_cdn_headers(headers)
headers['Access-Control-Allow-Origin'] = '*'
headers['Access-Control-Allow-Methods'] = CDN_REQUEST_METHODS.join(", ")
headers
end
end end
# rubocop:enable Style/GlobalVars # rubocop:enable Style/GlobalVars

1
lib/middleware/enforce_hostname.rb
View File

@ -17,6 +17,7 @@ module Middleware
allowed_hostnames = RailsMultisite::ConnectionManagement.current_db_hostnames allowed_hostnames = RailsMultisite::ConnectionManagement.current_db_hostnames
requested_hostname = env[Rack::HTTP_HOST] requested_hostname = env[Rack::HTTP_HOST]
env[Discourse::REQUESTED_HOSTNAME] = requested_hostname
env[Rack::HTTP_HOST] = allowed_hostnames.find { |h| h == requested_hostname } || Discourse.current_hostname env[Rack::HTTP_HOST] = allowed_hostnames.find { |h| h == requested_hostname } || Discourse.current_hostname
@app.call(env) @app.call(env)

19
spec/requests/static_controller_spec.rb
View File

@ -116,6 +116,25 @@ describe StaticController do
File.delete(file_path) File.delete(file_path)
end end
end end
it 'has correct cors headers for brotli assets' do
begin
assets_path = Rails.root.join("public/assets")
FileUtils.mkdir_p(assets_path)
file_path = assets_path.join("test.js.br")
File.write(file_path, 'fake brotli file')
GlobalSetting.stubs(:cdn_url).returns("https://www.example.com/")
get "/brotli_asset/test.js"
expect(response.status).to eq(200)
expect(response.headers["Access-Control-Allow-Origin"]).to match("*")
ensure
File.delete(file_path)
end
end
end end
context '#cdn_asset' do context '#cdn_asset' do