From bb282d8b7f248a467b80fbe6cebc01701bf0b993 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Thu, 15 Dec 2016 00:20:57 +0100
Subject: [PATCH] Fix multi(sub)domain support

---
 wcfsetup/install/files/js/WCF.js              |  1 +
 .../files/js/WoltLabSuite/Core/Ajax.js        | 10 ++++--
 .../js/WoltLabSuite/Core/Ajax/Request.js      |  4 +++
 .../install/files/lib/system/WCF.class.php    | 32 +++++++++++++++++++
 .../install/files/lib/system/WCFACP.class.php |  1 +
 5 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/wcfsetup/install/files/js/WCF.js b/wcfsetup/install/files/js/WCF.js
index a77244604b..74cddd02af 100755
--- a/wcfsetup/install/files/js/WCF.js
+++ b/wcfsetup/install/files/js/WCF.js
@@ -1547,6 +1547,7 @@ WCF.Action.Proxy = Class.extend({
 					data: options.data,
 					type: options.type,
 					url: options.url,
+					withCredentials: (options.url === 'index.php?ajax-proxy/&t=' + SECURITY_TOKEN),
 					responseType: (options.dataType === 'json' ? 'application/json' : ''),
 					
 					autoAbort: options.autoAbortPrevious,
diff --git a/wcfsetup/install/files/js/WoltLabSuite/Core/Ajax.js b/wcfsetup/install/files/js/WoltLabSuite/Core/Ajax.js
index b419e373cb..ba449226b3 100644
--- a/wcfsetup/install/files/js/WoltLabSuite/Core/Ajax.js
+++ b/wcfsetup/install/files/js/WoltLabSuite/Core/Ajax.js
@@ -39,7 +39,10 @@ define(['AjaxRequest', 'Core', 'ObjectMap'], function(AjaxRequest, Core, ObjectM
 				options.pinData = true;
 				options.callbackObject = callbackObject;
 				
-				if (!options.url) options.url = 'index.php?ajax-proxy/&t=' + SECURITY_TOKEN;
+				if (!options.url) {
+					options.url = 'index.php?ajax-proxy/&t=' + SECURITY_TOKEN;
+					options.withCredentials = true;
+				}
 				
 				request = new AjaxRequest(options);
 				
@@ -82,7 +85,10 @@ define(['AjaxRequest', 'Core', 'ObjectMap'], function(AjaxRequest, Core, ObjectM
 			
 			options.pinData = false;
 			options.callbackObject = null;
-			if (!options.url) options.url = 'index.php?ajax-proxy/&t=' + SECURITY_TOKEN;
+			if (!options.url) {
+				options.url = 'index.php?ajax-proxy/&t=' + SECURITY_TOKEN;
+				options.withCredentials = true;
+			}
 			
 			var request = new AjaxRequest(options);
 			request.sendRequest();
diff --git a/wcfsetup/install/files/js/WoltLabSuite/Core/Ajax/Request.js b/wcfsetup/install/files/js/WoltLabSuite/Core/Ajax/Request.js
index 6bab12a618..f8010ad16d 100644
--- a/wcfsetup/install/files/js/WoltLabSuite/Core/Ajax/Request.js
+++ b/wcfsetup/install/files/js/WoltLabSuite/Core/Ajax/Request.js
@@ -39,6 +39,7 @@ define(['Core', 'Language', 'Dom/ChangeListener', 'Dom/Util', 'Ui/Dialog', 'Wolt
 				responseType: 'application/json',
 				type: 'POST',
 				url: '',
+				withCredentials: false,
 				
 				// behavior
 				autoAbort: false,
@@ -108,6 +109,9 @@ define(['Core', 'Language', 'Dom/ChangeListener', 'Dom/Util', 'Ui/Dialog', 'Wolt
 				this._xhr.setRequestHeader('Content-Type', this._options.contentType);
 			}
 			this._xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
+			if (this._options.withCredentials) {
+				this._xhr.withCredentials = true;
+			}
 			
 			var self = this;
 			var options = Core.clone(this._options);
diff --git a/wcfsetup/install/files/lib/system/WCF.class.php b/wcfsetup/install/files/lib/system/WCF.class.php
index 166ccef839..79704154d4 100644
--- a/wcfsetup/install/files/lib/system/WCF.class.php
+++ b/wcfsetup/install/files/lib/system/WCF.class.php
@@ -27,6 +27,7 @@ use wcf\system\language\LanguageFactory;
 use wcf\system\package\PackageInstallationDispatcher;
 use wcf\system\request\Request;
 use wcf\system\request\RequestHandler;
+use wcf\system\request\RouteHandler;
 use wcf\system\session\SessionFactory;
 use wcf\system\session\SessionHandler;
 use wcf\system\style\StyleHandler;
@@ -152,6 +153,7 @@ class WCF {
 		$this->initCronjobs();
 		$this->initCoreObjects();
 		$this->initApplications();
+		$this->initCors();
 		$this->initBlacklist();
 		
 		EventHandler::getInstance()->fireAction($this, 'initialized');
@@ -443,6 +445,36 @@ class WCF {
 		}
 	}
 	
+	/**
+	 * Responds with proper CORS headers.
+	 */
+	protected function initCors() {
+		// Nothing to do here.
+		if (!isset($_SERVER['HTTP_ORIGIN'])) return;
+		
+		$allowed = array_reduce(ApplicationHandler::getInstance()->getApplications(), function ($carry, $item) {
+			if ($_SERVER['HTTP_ORIGIN'] == RouteHandler::getProtocol().$item->domainName) return true;
+			
+			return $carry;
+		}, false);
+		
+		if (!$allowed) return;
+		
+		header('Access-Control-Allow-Origin: '.$_SERVER['HTTP_ORIGIN']);
+		header('Access-Control-Allow-Credentials: true');
+		header('Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers');
+		
+		if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
+			if (!isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'])) return;
+			if (!isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) return;
+			
+			header('Access-Control-Allow-Methods: GET, HEAD, POST, OPTIONS');
+			header('Access-Control-Allow-Headers: '.$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']);
+			header('Access-Control-Max-Age: 5');
+			exit;
+		}
+	}
+	
 	/**
 	 * Initializes applications.
 	 */
diff --git a/wcfsetup/install/files/lib/system/WCFACP.class.php b/wcfsetup/install/files/lib/system/WCFACP.class.php
index f2cb24d6e0..f5982be89d 100644
--- a/wcfsetup/install/files/lib/system/WCFACP.class.php
+++ b/wcfsetup/install/files/lib/system/WCFACP.class.php
@@ -65,6 +65,7 @@ class WCFACP extends WCF {
 			$this->initApplications();
 		}
 		
+		$this->initCors();
 		$this->initBlacklist();
 		$this->initAuth();
 		
-- 
2.20.1