From 513a69c42fc8e8e5b49675780c0af2fc05e74e96 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Thu, 14 Jun 2012 12:07:55 +0300
Subject: [PATCH] Add Access-Control-Allow-Origin headers to static content
 served from our CDN.

---
 bin/browserid       | 9 +++++++++
 bin/router          | 5 ++---
 lib/http_forward.js | 2 +-
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/bin/browserid b/bin/browserid
index 20696a82b..d4fcfc3c7 100755
--- a/bin/browserid
+++ b/bin/browserid
@@ -135,6 +135,15 @@ app.use(function(req, res, next) {
   next();
 });
 
+// add 'Access-Control-Allow-Origin' headers to static resources that will be served
+// from the CDN.  We explicitly allow resources served from public_url to access these.
+app.use(function(req, res, next) {
+  res.on('header', function() {
+    res.setHeader("Access-Control-Allow-Origin", config.get('public_url'));
+  });
+  next();
+});
+
 app.use(express.static(static_root));
 
 // open the databse
diff --git a/bin/router b/bin/router
index 4b4bb5fe4..671cfb39f 100755
--- a/bin/router
+++ b/bin/router
@@ -20,7 +20,6 @@ logger = require('../lib/logging.js').logger,
 forward = require('../lib/http_forward').forward,
 shutdown = require('../lib/shutdown');
 
-
 var app = undefined;
 
 app = express.createServer();
@@ -78,9 +77,9 @@ if (statsd_config && statsd_config.enabled) {
 
 // Add Strict-Transport-Security headers if we're serving over SSL
 if (config.get('scheme') == 'https') {
-  app.use(function(req, resp, next) {
+  app.use(function(req, res, next) {
     // expires in 30 days, include subdomains like www
-    resp.setHeader("Strict-Transport-Security", "max-age=2592000; includeSubdomains");
+    res.setHeader("Strict-Transport-Security", "max-age=2592000; includeSubdomains");
     next();
     });
 }
diff --git a/lib/http_forward.js b/lib/http_forward.js
index 40f486caf..09d1023dd 100644
--- a/lib/http_forward.js
+++ b/lib/http_forward.js
@@ -47,7 +47,7 @@ exports.forward = function(dest, req, res, cb) {
     res.statusCode = pres.statusCode;
 
     // forward necessary headers
-    ['Content-Type', 'Content-Length', 'Set-Cookie', 'Vary', 'Cache-Control', 'ETag', 'X-Frame-Options', 'Location']
+    ['Content-Type', 'Content-Length', 'Set-Cookie', 'Vary', 'Cache-Control', 'ETag', 'X-Frame-Options', 'Location', 'Access-Control-Allow-Origin']
       .forEach(function (header) {
         if (pres.headers.hasOwnProperty(header.toLowerCase())) {
           res.setHeader(header, pres.headers[header.toLowerCase()]);
-- 
GitLab