Bug 24369: Add CORS support to output_with_http_headers()

This patch adds CORS support to output_with_headers(). It will use the AccessControlAllowOrigin syspref to pick the value and set the Access-Control-Allow-Origin header. To test: 1. Apply this patch 2. Run: $ kshell k$ prove t/Output.t SUCCESS: Tests pass! 3. Sign off :-D Signed-off-by: Andrew Isherwood <andrew.isherwood@ptfs-europe.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
4 years ago · c951f8e06a
2 changed files with 57 additions and 3 deletions
--- a/C4/Output.pm
+++ b/C4/Output.pm
@ -274,6 +274,8 @@ sub output_with_http_headers {
        'X-Frame-Options' => 'SAMEORIGIN',
    };
    $options->{expires} = 'now' if $extra_options->{force_no_caching};
+    $options->{'Access-Control-Allow-Origin'} = C4::Context->preference('AccessControlAllowOrigin')
+        if C4::Context->preference('AccessControlAllowOrigin');

    $options->{cookie} = $cookie if $cookie;
    if ($content_type eq 'html') {  # guaranteed to be one of the content_type_map keys, else we'd have died
--- a/t/Output.t
+++ b/t/Output.t
@ -1,12 +1,28 @@
 #!/usr/bin/perl

-use strict;
-use warnings;
+# This file is part of Koha.
+#
+# Koha is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# Koha is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Koha; if not, see <http://www.gnu.org/licenses>.

-use Test::More tests => 6;
+use Modern::Perl;
+
+use Test::More tests => 7;
 use Test::Warn;
 use CGI qw ( -utf8 );

+use t::lib::Mocks;
+
 BEGIN {
    use_ok('C4::Output');
 }
@ -41,3 +57,39 @@ subtest 'parametrized_url' => sub {
    is( $res, 'https://somesite.com/search?q=_title_&author=',
        'Title replaced, author empty and SUFFIX removed' );
 };
+
+subtest 'output_with_http_headers() tests' => sub {
+
+    plan tests => 4;
+
+    local *STDOUT;
+    my $stdout;
+
+    my $query = CGI->new();
+    my $cookie;
+    my $output = 'foobarbaz';
+
+    open STDOUT, '>', \$stdout;
+    t::lib::Mocks::mock_preference('AccessControlAllowOrigin','');
+    output_html_with_http_headers $query, $cookie, $output, undef;
+    unlike($stdout, qr/Access-control-allow-origin/, 'No header set if no value on syspref');
+    close STDOUT;
+
+    open STDOUT, '>', \$stdout;
+    t::lib::Mocks::mock_preference('AccessControlAllowOrigin',undef);
+    output_html_with_http_headers $query, $cookie, $output, undef;
+    unlike($stdout, qr/Access-control-allow-origin/, 'No header set if no value on syspref');
+    close STDOUT;
+
+    open STDOUT, '>', \$stdout;
+    t::lib::Mocks::mock_preference('AccessControlAllowOrigin','*');
+    output_html_with_http_headers $query, $cookie, $output, undef;
+    like($stdout, qr/Access-control-allow-origin: \*/, 'Header set to *');
+    close STDOUT;
+
+    open STDOUT, '>', \$stdout;
+    t::lib::Mocks::mock_preference('AccessControlAllowOrigin','https://koha-community.org');
+    output_html_with_http_headers $query, $cookie, $output, undef;
+    like($stdout, qr/Access-control-allow-origin: https:\/\/koha-community\.org/, 'Header set to https://koha-community.org');
+    close STDOUT;
+};