about summary refs log tree commit diff
path: root/config
diff options
context:
space:
mode:
authorEugen Rochko <eugen@zeonfederated.com>2016-11-09 18:06:01 +0100
committerEugen Rochko <eugen@zeonfederated.com>2016-11-09 18:06:01 +0100
commit448ab18a201c902b4e7a1aa468c352c20d034989 (patch)
tree5c33573bac66ded15ed009de707da3e64aeffd7c /config
parentb13e7dda1f33be43d1667b754b67df71f3187a5c (diff)
Replace setting custom CORS headers with rack-cors, set it on /oauth/token endpoint
Diffstat (limited to 'config')
-rw-r--r--config/application.rb13
1 files changed, 11 insertions, 2 deletions
diff --git a/config/application.rb b/config/application.rb
index 552f4ec11..dfe49b8ec 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -27,6 +27,15 @@ module Mastodon
 
     config.active_job.queue_adapter = :sidekiq
 
+    config.middleware.insert_before 0, Rack::Cors do
+      allow do
+        origins  '*'
+
+        resource '/api/*',       :headers => :any, :methods => [:post, :put, :delete, :get, :options], credentials: false
+        resource '/oauth/token', :headers => :any, :methods => [:post], credentials: false
+      end
+    end
+
     config.middleware.use Rack::Attack
     config.middleware.use Rack::Deflater
 
@@ -38,9 +47,9 @@ module Mastodon
     end
 
     config.action_dispatch.default_headers = {
-      'X-Frame-Options' => 'DENY',
+      'X-Frame-Options'        => 'DENY',
       'X-Content-Type-Options' => 'nosniff',
-      'X-XSS-Protection' => '1; mode=block'
+      'X-XSS-Protection'       => '1; mode=block'
     }
   end
 end