Replace setting custom CORS headers with rack-cors, set it on /oauth/token endpoint

author: Eugen Rochko <eugen@zeonfederated.com> 2016-11-09 18:06:01 +0100
committer: Eugen Rochko <eugen@zeonfederated.com> 2016-11-09 18:06:01 +0100
commit: 448ab18a201c902b4e7a1aa468c352c20d034989 (patch)
tree: 5c33573bac66ded15ed009de707da3e64aeffd7c /config/application.rb
parent: b13e7dda1f33be43d1667b754b67df71f3187a5c (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/config/application.rb b/config/application.rb
index 552f4ec11..dfe49b8ec 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -27,6 +27,15 @@ module Mastodon
 
     config.active_job.queue_adapter = :sidekiq
 
+    config.middleware.insert_before 0, Rack::Cors do
+      allow do
+        origins  '*'
+
+        resource '/api/*',       :headers => :any, :methods => [:post, :put, :delete, :get, :options], credentials: false
+        resource '/oauth/token', :headers => :any, :methods => [:post], credentials: false
+      end
+    end
+
     config.middleware.use Rack::Attack
     config.middleware.use Rack::Deflater
 
@@ -38,9 +47,9 @@ module Mastodon
     end
 
     config.action_dispatch.default_headers = {
-      'X-Frame-Options' => 'DENY',
+      'X-Frame-Options'        => 'DENY',
       'X-Content-Type-Options' => 'nosniff',
-      'X-XSS-Protection' => '1; mode=block'
+      'X-XSS-Protection'       => '1; mode=block'
     }
   end
 end
author	Eugen Rochko <eugen@zeonfederated.com>	2016-11-09 18:06:01 +0100
committer	Eugen Rochko <eugen@zeonfederated.com>	2016-11-09 18:06:01 +0100
commit	448ab18a201c902b4e7a1aa468c352c20d034989 (patch)
tree	5c33573bac66ded15ed009de707da3e64aeffd7c /config/application.rb
parent	b13e7dda1f33be43d1667b754b67df71f3187a5c (diff)