From c951f8e06a8db91308b85f2610ee9a8c4d89297a Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Thu, 9 Jan 2020 10:44:09 -0300 Subject: [PATCH] Bug 24369: Add CORS support to output_with_http_headers() This patch adds CORS support to output_with_headers(). It will use the AccessControlAllowOrigin syspref to pick the value and set the Access-Control-Allow-Origin header. To test: 1. Apply this patch 2. Run: $ kshell k$ prove t/Output.t SUCCESS: Tests pass! 3. Sign off :-D Signed-off-by: Andrew Isherwood Signed-off-by: Kyle M Hall Signed-off-by: Martin Renvoize --- C4/Output.pm | 2 ++ t/Output.t | 58 +++++++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 57 insertions(+), 3 deletions(-) diff --git a/C4/Output.pm b/C4/Output.pm index 4549cfc1d4..921c3a4ad0 100644 --- a/C4/Output.pm +++ b/C4/Output.pm @@ -274,6 +274,8 @@ sub output_with_http_headers { 'X-Frame-Options' => 'SAMEORIGIN', }; $options->{expires} = 'now' if $extra_options->{force_no_caching}; + $options->{'Access-Control-Allow-Origin'} = C4::Context->preference('AccessControlAllowOrigin') + if C4::Context->preference('AccessControlAllowOrigin'); $options->{cookie} = $cookie if $cookie; if ($content_type eq 'html') { # guaranteed to be one of the content_type_map keys, else we'd have died diff --git a/t/Output.t b/t/Output.t index 279ce06200..31ca103a75 100755 --- a/t/Output.t +++ b/t/Output.t @@ -1,12 +1,28 @@ #!/usr/bin/perl -use strict; -use warnings; +# This file is part of Koha. +# +# Koha is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# Koha is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Koha; if not, see . -use Test::More tests => 6; +use Modern::Perl; + +use Test::More tests => 7; use Test::Warn; use CGI qw ( -utf8 ); +use t::lib::Mocks; + BEGIN { use_ok('C4::Output'); } @@ -41,3 +57,39 @@ subtest 'parametrized_url' => sub { is( $res, 'https://somesite.com/search?q=_title_&author=', 'Title replaced, author empty and SUFFIX removed' ); }; + +subtest 'output_with_http_headers() tests' => sub { + + plan tests => 4; + + local *STDOUT; + my $stdout; + + my $query = CGI->new(); + my $cookie; + my $output = 'foobarbaz'; + + open STDOUT, '>', \$stdout; + t::lib::Mocks::mock_preference('AccessControlAllowOrigin',''); + output_html_with_http_headers $query, $cookie, $output, undef; + unlike($stdout, qr/Access-control-allow-origin/, 'No header set if no value on syspref'); + close STDOUT; + + open STDOUT, '>', \$stdout; + t::lib::Mocks::mock_preference('AccessControlAllowOrigin',undef); + output_html_with_http_headers $query, $cookie, $output, undef; + unlike($stdout, qr/Access-control-allow-origin/, 'No header set if no value on syspref'); + close STDOUT; + + open STDOUT, '>', \$stdout; + t::lib::Mocks::mock_preference('AccessControlAllowOrigin','*'); + output_html_with_http_headers $query, $cookie, $output, undef; + like($stdout, qr/Access-control-allow-origin: \*/, 'Header set to *'); + close STDOUT; + + open STDOUT, '>', \$stdout; + t::lib::Mocks::mock_preference('AccessControlAllowOrigin','https://koha-community.org'); + output_html_with_http_headers $query, $cookie, $output, undef; + like($stdout, qr/Access-control-allow-origin: https:\/\/koha-community\.org/, 'Header set to https://koha-community.org'); + close STDOUT; +}; -- 2.39.5