From: Tim Düsterhus Date: Wed, 14 Dec 2016 23:20:57 +0000 (+0100) Subject: Fix multi(sub)domain support X-Git-Tag: 3.0.0_RC_1~8 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=bb282d8b7f248a467b80fbe6cebc01701bf0b993;p=GitHub%2FWoltLab%2FWCF.git Fix multi(sub)domain support --- diff --git a/wcfsetup/install/files/js/WCF.js b/wcfsetup/install/files/js/WCF.js index a77244604b..74cddd02af 100755 --- a/wcfsetup/install/files/js/WCF.js +++ b/wcfsetup/install/files/js/WCF.js @@ -1547,6 +1547,7 @@ WCF.Action.Proxy = Class.extend({ data: options.data, type: options.type, url: options.url, + withCredentials: (options.url === 'index.php?ajax-proxy/&t=' + SECURITY_TOKEN), responseType: (options.dataType === 'json' ? 'application/json' : ''), autoAbort: options.autoAbortPrevious, diff --git a/wcfsetup/install/files/js/WoltLabSuite/Core/Ajax.js b/wcfsetup/install/files/js/WoltLabSuite/Core/Ajax.js index b419e373cb..ba449226b3 100644 --- a/wcfsetup/install/files/js/WoltLabSuite/Core/Ajax.js +++ b/wcfsetup/install/files/js/WoltLabSuite/Core/Ajax.js @@ -39,7 +39,10 @@ define(['AjaxRequest', 'Core', 'ObjectMap'], function(AjaxRequest, Core, ObjectM options.pinData = true; options.callbackObject = callbackObject; - if (!options.url) options.url = 'index.php?ajax-proxy/&t=' + SECURITY_TOKEN; + if (!options.url) { + options.url = 'index.php?ajax-proxy/&t=' + SECURITY_TOKEN; + options.withCredentials = true; + } request = new AjaxRequest(options); @@ -82,7 +85,10 @@ define(['AjaxRequest', 'Core', 'ObjectMap'], function(AjaxRequest, Core, ObjectM options.pinData = false; options.callbackObject = null; - if (!options.url) options.url = 'index.php?ajax-proxy/&t=' + SECURITY_TOKEN; + if (!options.url) { + options.url = 'index.php?ajax-proxy/&t=' + SECURITY_TOKEN; + options.withCredentials = true; + } var request = new AjaxRequest(options); request.sendRequest(); diff --git a/wcfsetup/install/files/js/WoltLabSuite/Core/Ajax/Request.js b/wcfsetup/install/files/js/WoltLabSuite/Core/Ajax/Request.js index 6bab12a618..f8010ad16d 100644 --- a/wcfsetup/install/files/js/WoltLabSuite/Core/Ajax/Request.js +++ b/wcfsetup/install/files/js/WoltLabSuite/Core/Ajax/Request.js @@ -39,6 +39,7 @@ define(['Core', 'Language', 'Dom/ChangeListener', 'Dom/Util', 'Ui/Dialog', 'Wolt responseType: 'application/json', type: 'POST', url: '', + withCredentials: false, // behavior autoAbort: false, @@ -108,6 +109,9 @@ define(['Core', 'Language', 'Dom/ChangeListener', 'Dom/Util', 'Ui/Dialog', 'Wolt this._xhr.setRequestHeader('Content-Type', this._options.contentType); } this._xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest'); + if (this._options.withCredentials) { + this._xhr.withCredentials = true; + } var self = this; var options = Core.clone(this._options); diff --git a/wcfsetup/install/files/lib/system/WCF.class.php b/wcfsetup/install/files/lib/system/WCF.class.php index 166ccef839..79704154d4 100644 --- a/wcfsetup/install/files/lib/system/WCF.class.php +++ b/wcfsetup/install/files/lib/system/WCF.class.php @@ -27,6 +27,7 @@ use wcf\system\language\LanguageFactory; use wcf\system\package\PackageInstallationDispatcher; use wcf\system\request\Request; use wcf\system\request\RequestHandler; +use wcf\system\request\RouteHandler; use wcf\system\session\SessionFactory; use wcf\system\session\SessionHandler; use wcf\system\style\StyleHandler; @@ -152,6 +153,7 @@ class WCF { $this->initCronjobs(); $this->initCoreObjects(); $this->initApplications(); + $this->initCors(); $this->initBlacklist(); EventHandler::getInstance()->fireAction($this, 'initialized'); @@ -443,6 +445,36 @@ class WCF { } } + /** + * Responds with proper CORS headers. + */ + protected function initCors() { + // Nothing to do here. + if (!isset($_SERVER['HTTP_ORIGIN'])) return; + + $allowed = array_reduce(ApplicationHandler::getInstance()->getApplications(), function ($carry, $item) { + if ($_SERVER['HTTP_ORIGIN'] == RouteHandler::getProtocol().$item->domainName) return true; + + return $carry; + }, false); + + if (!$allowed) return; + + header('Access-Control-Allow-Origin: '.$_SERVER['HTTP_ORIGIN']); + header('Access-Control-Allow-Credentials: true'); + header('Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers'); + + if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') { + if (!isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'])) return; + if (!isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) return; + + header('Access-Control-Allow-Methods: GET, HEAD, POST, OPTIONS'); + header('Access-Control-Allow-Headers: '.$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']); + header('Access-Control-Max-Age: 5'); + exit; + } + } + /** * Initializes applications. */ diff --git a/wcfsetup/install/files/lib/system/WCFACP.class.php b/wcfsetup/install/files/lib/system/WCFACP.class.php index f2cb24d6e0..f5982be89d 100644 --- a/wcfsetup/install/files/lib/system/WCFACP.class.php +++ b/wcfsetup/install/files/lib/system/WCFACP.class.php @@ -65,6 +65,7 @@ class WCFACP extends WCF { $this->initApplications(); } + $this->initCors(); $this->initBlacklist(); $this->initAuth();