Issue #48: Disabled cross-domain requests by default

2026-02-27 04:06:30 +00:00 · 2020-09-22 17:58:10 +03:00
parent 278645ce51
commit b498ae7e38
3 changed files with 13 additions and 3 deletions
--- a/src/http/server.c
+++ b/src/http/server.c
@@ -112,6 +112,7 @@ struct http_server_t *http_server_init(struct stream_t *stream) {
 	server->user = "";
 	server->passwd = "";
 	server->static_path = "";
+	server->allow_origin = "";
 	server->timeout = 10;
 	server->last_as_blank = -1;
 	server->run = run;
@@ -456,7 +457,9 @@ static void _http_callback_snapshot(struct evhttp_request *request, void *v_serv
 	assert((buf = evbuffer_new()));
 	assert(!evbuffer_add(buf, (const void *)EXPOSED(picture->data), EXPOSED(picture->used)));

-	ADD_HEADER("Access-Control-Allow-Origin:", "*");
+	if (server->allow_origin[0] != '\0') {
+		ADD_HEADER("Access-Control-Allow-Origin", server->allow_origin);
+	}
 	ADD_HEADER("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate, pre-check=0, post-check=0, max-age=0");
 	ADD_HEADER("Pragma", "no-cache");
 	ADD_HEADER("Expires", "Mon, 3 Jan 2000 12:34:56 GMT");
@@ -620,9 +623,11 @@ static void _http_callback_stream_write(struct bufferevent *buf_event, void *v_c
 			"Content-Type: image/jpeg" RN "X-Timestamp: %.06Lf" RN RN, get_now_real()))

 	if (client->need_initial) {
+		assert(evbuffer_add_printf(buf, "HTTP/1.0 200 OK" RN));
+		if (client->server->allow_origin[0] != '\0') {
+			assert(evbuffer_add_printf(buf, "Access-Control-Allow-Origin: %s" RN, client->server->allow_origin));
+		}
 		assert(evbuffer_add_printf(buf,
-			"HTTP/1.0 200 OK" RN
-			"Access-Control-Allow-Origin: *" RN
 			"Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, pre-check=0, post-check=0, max-age=0" RN
 			"Pragma: no-cache" RN
 			"Expires: Mon, 3 Jan 2000 12:34:56 GMT" RN
--- a/src/http/server.h
+++ b/src/http/server.h
@@ -97,6 +97,7 @@ struct http_server_t {
 	char		*user;
 	char		*passwd;
 	char		*static_path;
+	char		*allow_origin;

 	char		*blank_path;
 	int			last_as_blank;
--- a/src/options.c
+++ b/src/options.c
@@ -99,6 +99,7 @@ enum _OPT_VALUES {
 	_O_USER,
 	_O_PASSWD,
 	_O_STATIC,
+	_O_ALLOW_ORIGIN,
 	_O_TCP_NODELAY,
 	_O_SERVER_TIMEOUT,

@@ -175,6 +176,7 @@ static const struct option _LONG_OPTS[] = {
 	{"last-as-blank",			required_argument,	NULL,	_O_LAST_AS_BLANK},
 	{"drop-same-frames",		required_argument,	NULL,	_O_DROP_SAME_FRAMES},
 	{"slowdown",				no_argument,		NULL,	_O_SLOWDOWN},
+	{"allow-origin",			required_argument,	NULL,	_O_ALLOW_ORIGIN},
 	{"fake-resolution",			required_argument,	NULL,	_O_FAKE_RESOLUTION},
 	{"tcp-nodelay",				no_argument,		NULL,	_O_TCP_NODELAY},
 	{"server-timeout",			required_argument,	NULL,	_O_SERVER_TIMEOUT},
@@ -398,6 +400,7 @@ int options_parse(struct options_t *options, struct device_t *dev, struct encode
 			case _O_DROP_SAME_FRAMES:	OPT_NUMBER("--drop-same-frames", server->drop_same_frames, 0, VIDEO_MAX_FPS, 0);
 			case _O_SLOWDOWN:			OPT_SET(server->slowdown, true);
 			case _O_FAKE_RESOLUTION:	OPT_RESOLUTION("--fake-resolution", server->fake_width, server->fake_height, false);
+			case _O_ALLOW_ORIGIN:		OPT_SET(server->allow_origin, optarg);
 			case _O_TCP_NODELAY:		OPT_SET(server->tcp_nodelay, true);
 			case _O_SERVER_TIMEOUT:		OPT_NUMBER("--server-timeout", server->timeout, 1, 60, 0);

@@ -645,6 +648,7 @@ static void _help(struct device_t *dev, struct encoder_t *encoder, struct http_s
 	printf("    -R|--fake-resolution <WxH>  ─ Override image resolution for the /state. Default: disabled.\n\n");
 	printf("    --tcp-nodelay  ────────────── Set TCP_NODELAY flag to the client /stream socket. Ignored for --unix.\n");
 	printf("                                  Default: disabled.\n\n");
+	printf("    --allow-origin <str>  ─────── Set Access-Control-Allow-Origin header. Default: disabled.\n\n");
 	printf("    --server-timeout <sec>  ───── Timeout for client connections. Default: %u.\n\n", server->timeout);
 #ifdef WITH_GPIO
 	printf("GPIO options:\n");