options.pinData = true;
options.callbackObject = callbackObject;
- if (!options.url) options.url = 'index.php?ajax-proxy/&t=' + SECURITY_TOKEN;
+ if (!options.url) {
+ options.url = 'index.php?ajax-proxy/&t=' + SECURITY_TOKEN;
+ options.withCredentials = true;
+ }
request = new AjaxRequest(options);
options.pinData = false;
options.callbackObject = null;
- if (!options.url) options.url = 'index.php?ajax-proxy/&t=' + SECURITY_TOKEN;
+ if (!options.url) {
+ options.url = 'index.php?ajax-proxy/&t=' + SECURITY_TOKEN;
+ options.withCredentials = true;
+ }
var request = new AjaxRequest(options);
request.sendRequest();
responseType: 'application/json',
type: 'POST',
url: '',
+ withCredentials: false,
// behavior
autoAbort: false,
this._xhr.setRequestHeader('Content-Type', this._options.contentType);
}
this._xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
+ if (this._options.withCredentials) {
+ this._xhr.withCredentials = true;
+ }
var self = this;
var options = Core.clone(this._options);
use wcf\system\package\PackageInstallationDispatcher;
use wcf\system\request\Request;
use wcf\system\request\RequestHandler;
+use wcf\system\request\RouteHandler;
use wcf\system\session\SessionFactory;
use wcf\system\session\SessionHandler;
use wcf\system\style\StyleHandler;
$this->initCronjobs();
$this->initCoreObjects();
$this->initApplications();
+ $this->initCors();
$this->initBlacklist();
EventHandler::getInstance()->fireAction($this, 'initialized');
}
}
+ /**
+ * Responds with proper CORS headers.
+ */
+ protected function initCors() {
+ // Nothing to do here.
+ if (!isset($_SERVER['HTTP_ORIGIN'])) return;
+
+ $allowed = array_reduce(ApplicationHandler::getInstance()->getApplications(), function ($carry, $item) {
+ if ($_SERVER['HTTP_ORIGIN'] == RouteHandler::getProtocol().$item->domainName) return true;
+
+ return $carry;
+ }, false);
+
+ if (!$allowed) return;
+
+ header('Access-Control-Allow-Origin: '.$_SERVER['HTTP_ORIGIN']);
+ header('Access-Control-Allow-Credentials: true');
+ header('Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers');
+
+ if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
+ if (!isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'])) return;
+ if (!isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) return;
+
+ header('Access-Control-Allow-Methods: GET, HEAD, POST, OPTIONS');
+ header('Access-Control-Allow-Headers: '.$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']);
+ header('Access-Control-Max-Age: 5');
+ exit;
+ }
+ }
+
/**
* Initializes applications.
*/
projects / GitHub / WoltLab / WCF.git / commitdiff