From ba6a38a7f6c497e025708111046d67875c4361be Mon Sep 17 00:00:00 2001
From: Elias Nahum <nahumhbl@gmail.com>
Date: Tue, 1 Mar 2016 13:00:54 -0300
Subject: Allow CORS

---
 api/context.go                                     |  4 +++
 config/config.json                                 |  1 +
 model/config.go                                    |  1 +
 utils/config.go                                    |  2 ++
 .../components/admin_console/service_settings.jsx  | 35 ++++++++++++++++++++++
 web/static/i18n/en.json                            |  3 ++
 web/static/i18n/es.json                            |  3 ++
 7 files changed, 49 insertions(+)

diff --git a/api/context.go b/api/context.go
index 9e05c5d87..3b9782851 100644
--- a/api/context.go
+++ b/api/context.go
@@ -166,6 +166,10 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		// All api response bodies will be JSON formatted by default
 		w.Header().Set("Content-Type", "application/json")
 
+		if len(utils.Cfg.ServiceSettings.AllowCorsFrom) > 0 {
+			w.Header().Set("Access-Control-Allow-Origin", utils.Cfg.ServiceSettings.AllowCorsFrom)
+		}
+
 		if r.Method == "GET" {
 			w.Header().Set("Expires", "0")
 		}
diff --git a/config/config.json b/config/config.json
index 2795546f8..b211b16d3 100644
--- a/config/config.json
+++ b/config/config.json
@@ -15,6 +15,7 @@
         "EnableDeveloper": false,
         "EnableSecurityFixAlert": true,
         "EnableInsecureOutgoingConnections": false,
+        "AllowCorsFrom": "",
         "SessionLengthWebInDays": 30,
         "SessionLengthMobileInDays": 30,
         "SessionLengthSSOInDays": 30,
diff --git a/model/config.go b/model/config.go
index aa3dd3586..a7d92c101 100644
--- a/model/config.go
+++ b/model/config.go
@@ -39,6 +39,7 @@ type ServiceSettings struct {
 	EnableDeveloper                   *bool
 	EnableSecurityFixAlert            *bool
 	EnableInsecureOutgoingConnections *bool
+	AllowCorsFrom                     string
 	SessionLengthWebInDays            *int
 	SessionLengthMobileInDays         *int
 	SessionLengthSSOInDays            *int
diff --git a/utils/config.go b/utils/config.go
index 3e4ba5c5b..0a1d40db0 100644
--- a/utils/config.go
+++ b/utils/config.go
@@ -236,5 +236,7 @@ func getClientConfig(c *model.Config) map[string]string {
 	props["WebsocketPort"] = fmt.Sprintf("%v", *c.ServiceSettings.WebsocketPort)
 	props["WebsocketSecurePort"] = fmt.Sprintf("%v", *c.ServiceSettings.WebsocketSecurePort)
 
+	props["AllowCorsFrom"] = c.ServiceSettings.AllowCorsFrom
+
 	return props
 }
diff --git a/web/react/components/admin_console/service_settings.jsx b/web/react/components/admin_console/service_settings.jsx
index 047c7eb8d..9ed81b6a3 100644
--- a/web/react/components/admin_console/service_settings.jsx
+++ b/web/react/components/admin_console/service_settings.jsx
@@ -31,6 +31,10 @@ var holders = defineMessages({
         id: 'admin.service.sessionDaysEx',
         defaultMessage: 'Ex "30"'
     },
+    corsExample: {
+        id: 'admin.service.corsEx',
+        defaultMessage: 'http://example.com'
+    },
     saving: {
         id: 'admin.service.saving',
         defaultMessage: 'Saving Config...'
@@ -131,6 +135,8 @@ class ServiceSettings extends React.Component {
         config.ServiceSettings.SessionCacheInMinutes = SessionCacheInMinutes;
         ReactDOM.findDOMNode(this.refs.SessionCacheInMinutes).value = SessionCacheInMinutes;
 
+        config.ServiceSettings.AllowCorsFrom = ReactDOM.findDOMNode(this.refs.AllowCorsFrom).value.trim();
+
         Client.saveConfig(
             config,
             () => {
@@ -763,6 +769,35 @@ class ServiceSettings extends React.Component {
                         </div>
                     </div>
 
+                    <div className='form-group'>
+                        <label
+                            className='control-label col-sm-4'
+                            htmlFor='AllowCorsFrom'
+                        >
+                            <FormattedMessage
+                                id='admin.service.corsTitle'
+                                defaultMessage='Allow Cross-origin Requests from:'
+                            />
+                        </label>
+                        <div className='col-sm-8'>
+                            <input
+                                type='text'
+                                className='form-control'
+                                id='AllowCorsFrom'
+                                ref='AllowCorsFrom'
+                                placeholder={formatMessage(holders.corsExample)}
+                                defaultValue={this.props.config.ServiceSettings.AllowCorsFrom}
+                                onChange={this.handleChange}
+                            />
+                            <p className='help-text'>
+                                <FormattedMessage
+                                    id='admin.service.corsDescription'
+                                    defaultMessage='Enable HTTP Cross origin request from a specific domain. Use "*" if you want to allow CORS from any domain or leave it blank to disable it.'
+                                />
+                            </p>
+                        </div>
+                    </div>
+
                     <div className='form-group'>
                         <label
                             className='control-label col-sm-4'
diff --git a/web/static/i18n/en.json b/web/static/i18n/en.json
index 0d7be4b08..7f570b339 100644
--- a/web/static/i18n/en.json
+++ b/web/static/i18n/en.json
@@ -294,6 +294,9 @@
   "admin.service.attemptTitle": "Maximum Login Attempts:",
   "admin.service.cmdsDesc": "When true, user created slash commands will be allowed.",
   "admin.service.cmdsTitle": "Enable Slash Commands: ",
+  "admin.service.corsEx": "http://example.com https://example.com",
+  "admin.service.corsDescription": "Enable HTTP Cross origin request from specific domains (separate by a spacebar). Use \"*\" if you want to allow CORS from any domain or leave it blank to disable it.",
+  "admin.service.corsTitle": "Allow Cross-origin Requests from:",
   "admin.service.developerDesc": "(Developer Option) When true, extra information around errors will be displayed in the UI.",
   "admin.service.developerTitle": "Enable Developer Mode: ",
   "admin.service.false": "false",
diff --git a/web/static/i18n/es.json b/web/static/i18n/es.json
index ea1b4663a..78a6e4c0e 100644
--- a/web/static/i18n/es.json
+++ b/web/static/i18n/es.json
@@ -294,6 +294,9 @@
   "admin.service.attemptTitle": "Máximo de intentos de conexión:",
   "admin.service.cmdsDesc": "Cuando es verdadero, se permite la creación de comandos de barra por usuarios.",
   "admin.service.cmdsTitle": "Habilitar Comandos de Barra: ",
+  "admin.service.corsEx": "http://ejemplo.com https://ejemplo.com",
+  "admin.service.corsDescription": "Habilita las solicitudes HTTP de origen cruzado para dominios en específico (separados por un espacio). Utiliza \"*\" si quieres habilitar CORS desde cualquier dominio o deja el campo en blanco para deshabilitarlo.",
+  "admin.service.corsTitle": "Permitir Solicitudes de Origen Cruzado desde:",
   "admin.service.developerDesc": "(Opción de Desarrollador) Cuando está asignado en verdadero, información extra sobre errores se muestra en el UI.",
   "admin.service.developerTitle": "Habilitar modo de Desarrollador: ",
   "admin.service.false": "falso",
-- 
cgit v1.2.3-1-g7c22