Fix #3083: Set the Access-Control-Allow-Origin header to the request origin/host header if possible

2025-07-09 03:04:24 -04:00 · 2020-05-07 20:36:50 -07:00 · 2020-05-07 20:36:50 -07:00 · 3cb6fd8a27
commit 3cb6fd8a27
parent 5ce008e02f
3 changed files with 54 additions and 8 deletions
--- a/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs
+++ b/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs
@ -28,6 +28,7 @@ using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Primitives;
 using ServiceStack.Text.Jsv;
 namespace Emby.Server.Implementations.HttpServer
@ -454,9 +455,10 @@ namespace Emby.Server.Implementations.HttpServer
                if (string.Equals(httpReq.Verb, "OPTIONS", StringComparison.OrdinalIgnoreCase))
                {
                    httpRes.StatusCode = 200;
-                    httpRes.Headers.Add("Access-Control-Allow-Origin", "*");
+                    foreach(KeyValuePair<string, string> header in GetCorsHeaders(httpReq))
-                    httpRes.Headers.Add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS");
+                    {
-                    httpRes.Headers.Add("Access-Control-Allow-Headers", "Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization");
+                        httpRes.Headers.Add(header.Key, header.Value);
                    }
                    httpRes.ContentType = "text/plain";
                    await httpRes.WriteAsync(string.Empty, cancellationToken).ConfigureAwait(false);
                    return;
@ -576,6 +578,31 @@ namespace Emby.Server.Implementations.HttpServer
            }
        }
        /// <summary>
        /// Get the default CORS headers
        /// </summary>
        /// <param name="req"></param>
        /// <returns></returns>
        public IDictionary<string, string> GetCorsHeaders(IRequest req)
        {
            var origin = req.Headers["Origin"];
            if (origin == StringValues.Empty)
            {
                origin = req.Headers["Host"];
                if (origin == StringValues.Empty)
                {
                    origin = "*";
                }
            }
            var headers = new Dictionary<string, string>();
            headers.Add("Access-Control-Allow-Origin", origin);
            headers.Add("Access-Control-Allow-Credentials", "true");
            headers.Add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS");
            headers.Add("Access-Control-Allow-Headers", "Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization, Cookie");
            return headers;
        }
        // Entry point for HttpListener
        public ServiceHandler GetServiceHandler(IHttpRequest httpReq)
        {
@ -622,7 +649,7 @@ namespace Emby.Server.Implementations.HttpServer
            ResponseFilters = new Action<IRequest, HttpResponse, object>[]
            {
-                new ResponseFilter(_logger).FilterResponse
+                new ResponseFilter(this, _logger).FilterResponse
            };
        }
--- a/Emby.Server.Implementations/HttpServer/ResponseFilter.cs
+++ b/Emby.Server.Implementations/HttpServer/ResponseFilter.cs
@ -1,6 +1,8 @@
 using System;
 using System.Collections.Generic;
 using System.Globalization;
 using System.Text;
 using MediaBrowser.Controller.Net;
 using MediaBrowser.Model.Services;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
@ -13,14 +15,17 @@ namespace Emby.Server.Implementations.HttpServer
    /// </summary>
    public class ResponseFilter
    {
        private readonly IHttpServer _server;
        private readonly ILogger _logger;
        /// <summary>
        /// Initializes a new instance of the <see cref="ResponseFilter"/> class.
        /// </summary>
        /// <param name="server">The HTTP server.</param>
        /// <param name="logger">The logger.</param>
-        public ResponseFilter(ILogger logger)
+        public ResponseFilter(IHttpServer server, ILogger logger)
        {
            _server = server;
            _logger = logger;
        }
@ -32,10 +37,16 @@ namespace Emby.Server.Implementations.HttpServer
        /// <param name="dto">The dto.</param>
        public void FilterResponse(IRequest req, HttpResponse res, object dto)
        {
            foreach(KeyValuePair<string, string> header in _server.GetCorsHeaders(req))
            {
                res.Headers.Add(header.Key, header.Value);
            }
            // Try to prevent compatibility view
-            res.Headers.Add("Access-Control-Allow-Headers", "Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, Slug, Transfer-Encoding, Want-Digest, X-MediaBrowser-Token, X-Emby-Authorization");
+            res.Headers["Access-Control-Allow-Headers"] = ("Accept, Accept-Language, Authorization, Cache-Control, " +
-            res.Headers.Add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS");
+                "Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, " +
-            res.Headers.Add("Access-Control-Allow-Origin", "*");
+                "Content-Type, Cookie, Date, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, " +
                "Origin, OriginToken, Pragma, Range, Slug, Transfer-Encoding, Want-Digest, X-MediaBrowser-Token, " +
                "X-Emby-Authorization");
            if (dto is Exception exception)
            {
--- a/MediaBrowser.Controller/Net/IHttpServer.cs
+++ b/MediaBrowser.Controller/Net/IHttpServer.cs
@ -2,6 +2,7 @@ using System;
 using System.Collections.Generic;
 using System.Threading.Tasks;
 using MediaBrowser.Model.Events;
 using MediaBrowser.Model.Services;
 using Microsoft.AspNetCore.Http;
 namespace MediaBrowser.Controller.Net
@ -38,5 +39,12 @@ namespace MediaBrowser.Controller.Net
        /// <param name="context"></param>
        /// <returns></returns>
        Task RequestHandler(HttpContext context);
        /// <summary>
        /// Get the default CORS headers
        /// </summary>
        /// <param name="req"></param>
        /// <returns></returns>
        IDictionary<string, string> GetCorsHeaders(IRequest req);
    }
 }