From 448ab18a201c902b4e7a1aa468c352c20d034989 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Wed, 9 Nov 2016 18:06:01 +0100
Subject: Replace setting custom CORS headers with rack-cors, set it on
 /oauth/token endpoint

---
 config/application.rb | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

(limited to 'config')

diff --git a/config/application.rb b/config/application.rb
index 552f4ec11..dfe49b8ec 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -27,6 +27,15 @@ module Mastodon
 
     config.active_job.queue_adapter = :sidekiq
 
+    config.middleware.insert_before 0, Rack::Cors do
+      allow do
+        origins  '*'
+
+        resource '/api/*',       :headers => :any, :methods => [:post, :put, :delete, :get, :options], credentials: false
+        resource '/oauth/token', :headers => :any, :methods => [:post], credentials: false
+      end
+    end
+
     config.middleware.use Rack::Attack
     config.middleware.use Rack::Deflater
 
@@ -38,9 +47,9 @@ module Mastodon
     end
 
     config.action_dispatch.default_headers = {
-      'X-Frame-Options' => 'DENY',
+      'X-Frame-Options'        => 'DENY',
       'X-Content-Type-Options' => 'nosniff',
-      'X-XSS-Protection' => '1; mode=block'
+      'X-XSS-Protection'       => '1; mode=block'
     }
   end
 end
-- 
cgit