<script>
var SID_ARG_2ND = '';
var WCF_PATH = '{@$__wcf->getPath()}';
- var WSC_API_URL = '{@$__wcf->getPath()}';
+ var WSC_API_URL = '{@$__wcf->getActivePath()}';
var SECURITY_TOKEN = '{@SECURITY_TOKEN}';
var LANGUAGE_ID = {@$__wcf->getLanguage()->languageID};
var LANGUAGE_USE_INFORMAL_VARIANT = {if LANGUAGE_USE_INFORMAL_VARIANT}true{else}false{/if};
<script>
var SID_ARG_2ND = '';
var WCF_PATH = '{@$__wcf->getPath()}';
- var WSC_API_URL = '{@$__wcf->getPath()}acp/';
+ var WSC_API_URL = '{@$__wcf->getActivePath()}acp/';
var SECURITY_TOKEN = '{@SECURITY_TOKEN}';
var LANGUAGE_ID = {@$__wcf->getLanguage()->languageID};
var LANGUAGE_USE_INFORMAL_VARIANT = {if LANGUAGE_USE_INFORMAL_VARIANT}true{else}false{/if};
// start initialization
$this->initDB();
$this->loadOptions();
- $this->initCors();
$this->initSession();
$this->initLanguage();
$this->initTPL();
}
}
- /**
- * Responds with proper CORS headers.
- */
- protected function initCors() {
- // Nothing to do here.
- if (!isset($_SERVER['HTTP_ORIGIN'])) return;
-
- $allowed = array_reduce(ApplicationHandler::getInstance()->getApplications(), function ($carry, $item) {
- if ($_SERVER['HTTP_ORIGIN'] == RouteHandler::getProtocol().$item->domainName) return true;
-
- return $carry;
- }, false);
-
- if (!$allowed) return;
-
- header('Access-Control-Allow-Origin: '.$_SERVER['HTTP_ORIGIN']);
- header('Access-Control-Allow-Credentials: true');
- header('Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers');
-
- if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
- if (!isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'])) return;
- if (!isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) return;
-
- header('Access-Control-Allow-Methods: GET, HEAD, POST, OPTIONS');
- header('Access-Control-Allow-Headers: '.$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']);
- header('Access-Control-Max-Age: 5');
- exit;
- }
- }
-
/**
* Initializes applications.
*/
return self::$applications[$abbreviation]->getPageURL();
}
+ /**
+ * Returns the domain path for the currently active application,
+ * used to avoid CORS requests.
+ *
+ * @return string
+ */
+ public static function getActivePath() {
+ if (!PACKAGE_ID) {
+ return self::getPath();
+ }
+
+ return self::getPath(ApplicationHandler::getInstance()->getAbbreviation(ApplicationHandler::getInstance()->getActiveApplication()->packageID));
+ }
+
/**
* Returns a fully qualified anchor for current page.
*
// start initialization
$this->initDB();
$this->loadOptions();
- $this->initCors();
$this->initPackage();
$this->initSession();
$this->initLanguage();
$parts = array_map('ucfirst', $parts);
$controller = implode('', $parts);
- // work-around for upgrade path 2.1 -> 3.0
+ // work-around for legacy action controllers for upgrade and CORS avoidance
if ($controller === 'AjaxProxy') $controller = 'AJAXProxy';
+ else if ($controller === 'AjaxUpload') $controller = 'AJAXUpload';
+ else if ($controller === 'AjaxInvoke') $controller = 'AJAXInvoke';
// work-around for package installation during upgrade 2.1 -> 3.0
if ($isAcpRequest && $controller === 'InstallPackage') $application = 'wcf';
protected function getClassData($application, $controller, $isAcpRequest, $pageType) {
$className = $application . '\\' . ($isAcpRequest ? 'acp\\' : '') . $pageType . '\\' . $controller . ucfirst($pageType);
if (!class_exists($className)) {
- return null;
+ // avoid CORS by allowing action classes invoked form every application domain
+ if ($pageType === 'action' && $application !== 'wcf') {
+ $className = 'wcf\\' . ($isAcpRequest ? 'acp\\' : '') . $pageType . '\\' . $controller . ucfirst($pageType);
+ if (!class_exists($className)) {
+ return null;
+ }
+ }
+ else {
+ return null;
+ }
}
// check for abstract classes
projects / GitHub / WoltLab / WCF.git / commitdiff