diff --git a/trunk/3rdparty/httpx-static/main.go b/trunk/3rdparty/httpx-static/main.go index f2a86bf26..782674a73 100644 --- a/trunk/3rdparty/httpx-static/main.go +++ b/trunk/3rdparty/httpx-static/main.go @@ -412,10 +412,18 @@ func run(ctx context.Context) error { oh.SetHeader(w) if o := r.Header.Get("Origin"); len(o) > 0 { + // SRS does not need cookie or credentials, so we disable CORS credentials, and use * for CORS origin, + // headers, expose headers and methods. w.Header().Set("Access-Control-Allow-Origin", "*") - w.Header().Set("Access-Control-Allow-Methods", "GET, POST, HEAD, PUT, DELETE, OPTIONS") - w.Header().Set("Access-Control-Expose-Headers", "Server,range,Content-Length,Content-Range") - w.Header().Set("Access-Control-Allow-Headers", "origin,range,accept-encoding,referer,Cache-Control,X-Proxy-Authorization,X-Requested-With,Content-Type") + // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers + w.Header().Set("Access-Control-Allow-Headers", "*") + // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods + w.Header().Set("Access-Control-Allow-Methods", "*") + // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers + w.Header().Set("Access-Control-Expose-Headers", "*") + // https://stackoverflow.com/a/24689738/17679565 + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials + w.Header().Set("Access-Control-Allow-Credentials", "false") } // For matched OPTIONS, directly return without response. diff --git a/trunk/3rdparty/httpx-static/version.go b/trunk/3rdparty/httpx-static/version.go index 12a9cdbb1..cc1b8b5f6 100644 --- a/trunk/3rdparty/httpx-static/version.go +++ b/trunk/3rdparty/httpx-static/version.go @@ -35,7 +35,7 @@ func VersionMinor() int { } func VersionRevision() int { - return 26 + return 27 } func Version() string { diff --git a/trunk/doc/CHANGELOG.md b/trunk/doc/CHANGELOG.md index 7d2068471..c51ce2a77 100644 --- a/trunk/doc/CHANGELOG.md +++ b/trunk/doc/CHANGELOG.md @@ -8,6 +8,7 @@ The changelog for SRS. ## SRS 5.0 Changelog +* v5.0, 2023-01-05, CORS: Refine HTTP CORS headers. v5.0.130 * v5.0, 2023-01-03, Add blackbox test for HLS and MP3 codec. v5.0.129 * v5.0, 2023-01-02, Merge [#3355](https://github.com/ossrs/srs/pull/3355): Test: Support blackbox test by FFmpeg. v5.0.128 * v5.0, 2023-01-02, Fix [#3347](https://github.com/ossrs/srs/issues/3347): Asan: Disable asan for CentOS and use statically link if possible. v5.0.127 diff --git a/trunk/src/core/srs_core_version5.hpp b/trunk/src/core/srs_core_version5.hpp index 986d50648..5f47d0a71 100644 --- a/trunk/src/core/srs_core_version5.hpp +++ b/trunk/src/core/srs_core_version5.hpp @@ -9,6 +9,6 @@ #define VERSION_MAJOR 5 #define VERSION_MINOR 0 -#define VERSION_REVISION 129 +#define VERSION_REVISION 130 #endif diff --git a/trunk/src/protocol/srs_protocol_http_stack.cpp b/trunk/src/protocol/srs_protocol_http_stack.cpp index 991e8d307..09c147c69 100644 --- a/trunk/src/protocol/srs_protocol_http_stack.cpp +++ b/trunk/src/protocol/srs_protocol_http_stack.cpp @@ -891,10 +891,21 @@ srs_error_t SrsHttpCorsMux::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMessag // When CORS required, set the CORS headers. if (required) { SrsHttpHeader* h = w->header(); + // SRS does not need cookie or credentials, so we disable CORS credentials, and use * for CORS origin, + // headers, expose headers and methods. h->set("Access-Control-Allow-Origin", "*"); - h->set("Access-Control-Allow-Methods", "GET, POST, HEAD, PUT, DELETE, OPTIONS"); - h->set("Access-Control-Expose-Headers", "Server,range,Content-Length,Content-Range"); - h->set("Access-Control-Allow-Headers", "origin,range,accept-encoding,referer,Cache-Control,X-Proxy-Authorization,X-Requested-With,Content-Type"); + // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers + h->set("Access-Control-Allow-Headers", "*"); + // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods + h->set("Access-Control-Allow-Methods", "*"); + // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers + // Only the CORS-safelisted response headers are exposed by default. That is Cache-Control, Content-Language, + // Content-Length, Content-Type, Expires, Last-Modified, Pragma. + // See https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_response_header + h->set("Access-Control-Expose-Headers", "*"); + // https://stackoverflow.com/a/24689738/17679565 + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials + h->set("Access-Control-Allow-Credentials", "false"); } // handle the http options.