diff --git a/Jellyfin.Server/Configuration/CorsPolicyProvider.cs b/Jellyfin.Server/Configuration/CorsPolicyProvider.cs
new file mode 100644
index 0000000000..0d04b6bb13
--- /dev/null
+++ b/Jellyfin.Server/Configuration/CorsPolicyProvider.cs
@@ -0,0 +1,49 @@
+using System;
+using System.Threading.Tasks;
+using MediaBrowser.Controller.Configuration;
+using Microsoft.AspNetCore.Cors.Infrastructure;
+using Microsoft.AspNetCore.Http;
+
+namespace Jellyfin.Server.Configuration
+{
+ ///
+ /// Cors policy provider.
+ ///
+ public class CorsPolicyProvider : ICorsPolicyProvider
+ {
+ private readonly IServerConfigurationManager _serverConfigurationManager;
+
+ ///
+ /// Initializes a new instance of the class.
+ ///
+ /// Instance of the interface.
+ public CorsPolicyProvider(IServerConfigurationManager serverConfigurationManager)
+ {
+ _serverConfigurationManager = serverConfigurationManager;
+ }
+
+ ///
+ public Task GetPolicyAsync(HttpContext context, string policyName)
+ {
+ var corsHosts = _serverConfigurationManager.Configuration.CorsHosts;
+ var builder = new CorsPolicyBuilder()
+ .AllowAnyMethod()
+ .AllowAnyHeader();
+
+ // No hosts configured or only default configured.
+ if (corsHosts.Length == 0
+ || (corsHosts.Length == 1
+ && string.Equals(corsHosts[0], CorsConstants.AnyOrigin, StringComparison.Ordinal)))
+ {
+ builder.AllowAnyOrigin();
+ }
+ else
+ {
+ builder.WithOrigins(corsHosts)
+ .AllowCredentials();
+ }
+
+ return Task.FromResult(builder.Build());
+ }
+ }
+}
diff --git a/Jellyfin.Server/Extensions/ApiServiceCollectionExtensions.cs b/Jellyfin.Server/Extensions/ApiServiceCollectionExtensions.cs
index 517d77412f..9319b573a4 100644
--- a/Jellyfin.Server/Extensions/ApiServiceCollectionExtensions.cs
+++ b/Jellyfin.Server/Extensions/ApiServiceCollectionExtensions.cs
@@ -15,13 +15,15 @@ using Jellyfin.Api.Auth.LocalAccessPolicy;
using Jellyfin.Api.Auth.RequiresElevationPolicy;
using Jellyfin.Api.Constants;
using Jellyfin.Api.Controllers;
+using Jellyfin.Server.Configuration;
using Jellyfin.Server.Formatters;
-using Jellyfin.Server.Models;
+using Jellyfin.Server.Middleware;
using MediaBrowser.Common.Json;
using MediaBrowser.Model.Entities;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Cors.Infrastructure;
using Microsoft.AspNetCore.HttpOverrides;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.OpenApi.Models;
@@ -138,10 +140,8 @@ namespace Jellyfin.Server.Extensions
public static IMvcBuilder AddJellyfinApi(this IServiceCollection serviceCollection, IEnumerable pluginAssemblies)
{
IMvcBuilder mvcBuilder = serviceCollection
- .AddCors(options =>
- {
- options.AddPolicy(ServerCorsPolicy.DefaultPolicyName, ServerCorsPolicy.DefaultPolicy);
- })
+ .AddCors()
+ .AddTransient()
.Configure(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
diff --git a/Jellyfin.Server/Models/ServerCorsPolicy.cs b/Jellyfin.Server/Models/ServerCorsPolicy.cs
deleted file mode 100644
index ae010c042e..0000000000
--- a/Jellyfin.Server/Models/ServerCorsPolicy.cs
+++ /dev/null
@@ -1,30 +0,0 @@
-using Microsoft.AspNetCore.Cors.Infrastructure;
-
-namespace Jellyfin.Server.Models
-{
- ///
- /// Server Cors Policy.
- ///
- public static class ServerCorsPolicy
- {
- ///
- /// Default policy name.
- ///
- public const string DefaultPolicyName = "DefaultCorsPolicy";
-
- ///
- /// Default Policy. Allow Everything.
- ///
- public static readonly CorsPolicy DefaultPolicy = new CorsPolicy
- {
- // Allow any origin
- Origins = { "*" },
-
- // Allow any method
- Methods = { "*" },
-
- // Allow any header
- Headers = { "*" }
- };
- }
-}
\ No newline at end of file
diff --git a/Jellyfin.Server/Startup.cs b/Jellyfin.Server/Startup.cs
index 597323b864..16629b5d95 100644
--- a/Jellyfin.Server/Startup.cs
+++ b/Jellyfin.Server/Startup.cs
@@ -5,7 +5,6 @@ using Jellyfin.Api.TypeConverters;
using Jellyfin.Server.Extensions;
using Jellyfin.Server.Implementations;
using Jellyfin.Server.Middleware;
-using Jellyfin.Server.Models;
using MediaBrowser.Common.Net;
using MediaBrowser.Controller;
using MediaBrowser.Controller.Configuration;
@@ -116,7 +115,7 @@ namespace Jellyfin.Server
mainApp.UseResponseCompression();
- mainApp.UseCors(ServerCorsPolicy.DefaultPolicyName);
+ mainApp.UseCors();
if (_serverConfigurationManager.Configuration.RequireHttps
&& _serverApplicationHost.ListenWithHttps)
diff --git a/MediaBrowser.Model/Configuration/ServerConfiguration.cs b/MediaBrowser.Model/Configuration/ServerConfiguration.cs
index 97748bd0ca..68dc1cc83d 100644
--- a/MediaBrowser.Model/Configuration/ServerConfiguration.cs
+++ b/MediaBrowser.Model/Configuration/ServerConfiguration.cs
@@ -263,6 +263,11 @@ namespace MediaBrowser.Model.Configuration
///
public long SlowResponseThresholdMs { get; set; }
+ ///
+ /// Gets or sets the cors hosts.
+ ///
+ public string[] CorsHosts { get; set; }
+
///
/// Initializes a new instance of the class.
///
@@ -372,6 +377,7 @@ namespace MediaBrowser.Model.Configuration
EnableSlowResponseWarning = true;
SlowResponseThresholdMs = 500;
+ CorsHosts = new[] { "*" };
}
}