From aa4a43a1a5af3e5759a5e667eea44ff10fdd3700 Mon Sep 17 00:00:00 2001 From: jessop Date: Sun, 29 Sep 2019 14:54:17 -0400 Subject: [PATCH] cors --- package-lock.json | 9 +++++++++ package.json | 1 + server/index.js | 20 +++++++++++++++++++- 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/package-lock.json b/package-lock.json index c25cc17d..0d8c6e30 100644 --- a/package-lock.json +++ b/package-lock.json @@ -3611,6 +3611,15 @@ "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", "integrity": "sha1-tf1UIgqivFq1eqtxQMlAdUUDwac=" }, + "cors": { + "version": "2.8.5", + "resolved": "https://registry.npmjs.org/cors/-/cors-2.8.5.tgz", + "integrity": "sha512-KIHbLJqu73RGr/hnbrO9uBeixNGuvSQjul/jdFvS/KFSIH1hWVd1ng7zOHx+YrEfInLG7q4n6GHQ9cDtxv/P6g==", + "requires": { + "object-assign": "^4", + "vary": "^1" + } + }, "cosmiconfig": { "version": "5.0.7", "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-5.0.7.tgz", diff --git a/package.json b/package.json index 9b224229..8ad68ed5 100644 --- a/package.json +++ b/package.json @@ -41,6 +41,7 @@ "body-parser": "^1.18.3", "connect-multiparty": "^2.2.0", "cookie-session": "^2.0.0-beta.3", + "cors": "^2.8.5", "express": "^4.16.4", "express-handlebars": "^3.0.0", "express-http-context": "^1.2.0", diff --git a/server/index.js b/server/index.js index 87455cea..64225f47 100644 --- a/server/index.js +++ b/server/index.js @@ -3,6 +3,7 @@ const express = require('express'); const bodyParser = require('body-parser'); const expressHandlebars = require('express-handlebars'); const helmet = require('helmet'); +const cors = require('cors'); const cookieSession = require('cookie-session'); const http = require('http'); const logger = require('winston'); @@ -82,7 +83,24 @@ function Server() { // set HTTP headers to protect against well-known web vulnerabilties app.use(helmet()); - + // open cors for lbry.tv lbry.tech localhost lbry.com + var whitelist = [ + 'https://lbry.com', + 'https://lbry.tech', + 'https://lbry.tv', + 'http://localhost', + 'http://localhost:1337', + ]; + var corsOptions = { + origin: function(origin, callback) { + if (whitelist.indexOf(origin) !== -1) { + callback(null, true); + } else { + callback(new Error('Not allowed by CORS')); + } + }, + }; + app.use(cors(corsOptions)); // Support per-request http-context app.use(httpContext.middleware);