From: Avan Thakkar Date: Thu, 8 Dec 2022 11:16:21 +0000 (+0530) Subject: mgr/dashboard: allow Origin for CORS if present in config `cross_origin_url` X-Git-Tag: v16.2.11~50^2 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=24b6f28f787deb4673d4e987a8b10bfcc8db4211;p=ceph.git mgr/dashboard: allow Origin for CORS if present in config `cross_origin_url` Signed-off-by: Avan Thakkar (cherry picked from commit 04cfd23122248a7262a29003b9e5b4c18edbfb5b) --- diff --git a/src/pybind/mgr/dashboard/module.py b/src/pybind/mgr/dashboard/module.py index 96f62178fda4d..3ea3cdfe9cf8b 100644 --- a/src/pybind/mgr/dashboard/module.py +++ b/src/pybind/mgr/dashboard/module.py @@ -248,16 +248,19 @@ class CherryPyConfig(object): resp_head = cherrypy.response.headers # Always set response headers necessary for 'simple' CORS. - req_header_origin_url = req_head.get('Access-Control-Allow-Origin') + req_header_cross_origin_url = req_head.get('Access-Control-Allow-Origin') cross_origin_urls = mgr.get_localized_module_option('cross_origin_url', '') cross_origin_url_list = [url.strip() for url in cross_origin_urls.split(',')] - if req_header_origin_url in cross_origin_url_list: - resp_head['Access-Control-Allow-Origin'] = req_header_origin_url + if req_header_cross_origin_url in cross_origin_url_list: + resp_head['Access-Control-Allow-Origin'] = req_header_cross_origin_url resp_head['Access-Control-Expose-Headers'] = 'GET, POST' resp_head['Access-Control-Allow-Credentials'] = 'true' # Non-simple CORS preflight request; short-circuit the normal handler. if cherrypy.request.method == 'OPTIONS': + req_header_origin_url = req_head.get('Origin') + if req_header_origin_url in cross_origin_url_list: + resp_head['Access-Control-Allow-Origin'] = req_header_origin_url ac_method = req_head.get('Access-Control-Request-Method', None) allowed_methods = ['GET', 'POST']