github-forks
/
srs
mirror of https://github.com/ossrs/srs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CORS: Refine HTTP CORS headers. v5.0.130

Browse Source
pull/3367/head
winlin 2 years ago
parent 62963b206f
commit 3612473516
5 changed files with 28 additions and 8 deletions
Show Stats Download Patch File Download Diff File

14
trunk/3rdparty/httpx-static/main.go vendored
Unescape Escape View File

@ -412,10 +412,18 @@ func run(ctx context.Context) error {
oh.SetHeader(w) oh.SetHeader(w)
if o := r.Header.Get("Origin"); len(o) > 0 { if o := r.Header.Get("Origin"); len(o) > 0 {
// SRS does not need cookie or credentials, so we disable CORS credentials, and use * for CORS origin,
// headers, expose headers and methods.
w.Header().Set("Access-Control-Allow-Origin", "*") w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, HEAD, PUT, DELETE, OPTIONS") // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
w.Header().Set("Access-Control-Expose-Headers", "Server,range,Content-Length,Content-Range") w.Header().Set("Access-Control-Allow-Headers", "*")
w.Header().Set("Access-Control-Allow-Headers", "origin,range,accept-encoding,referer,Cache-Control,X-Proxy-Authorization,X-Requested-With,Content-Type") // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
w.Header().Set("Access-Control-Allow-Methods", "*")
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers
w.Header().Set("Access-Control-Expose-Headers", "*")
// https://stackoverflow.com/a/24689738/17679565
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
w.Header().Set("Access-Control-Allow-Credentials", "false")
} }
// For matched OPTIONS, directly return without response. // For matched OPTIONS, directly return without response.

2
trunk/3rdparty/httpx-static/version.go vendored
Unescape Escape View File

@ -35,7 +35,7 @@ func VersionMinor() int {
} }
func VersionRevision() int { func VersionRevision() int {
return 26 return 27
} }
func Version() string { func Version() string {

1
trunk/doc/CHANGELOG.md
Unescape Escape View File

@ -8,6 +8,7 @@ The changelog for SRS.
## SRS 5.0 Changelog ## SRS 5.0 Changelog
* v5.0, 2023-01-05, CORS: Refine HTTP CORS headers. v5.0.130
* v5.0, 2023-01-03, Add blackbox test for HLS and MP3 codec. v5.0.129 * v5.0, 2023-01-03, Add blackbox test for HLS and MP3 codec. v5.0.129
* v5.0, 2023-01-02, Merge [#3355](https://github.com/ossrs/srs/pull/3355): Test: Support blackbox test by FFmpeg. v5.0.128 * v5.0, 2023-01-02, Merge [#3355](https://github.com/ossrs/srs/pull/3355): Test: Support blackbox test by FFmpeg. v5.0.128
* v5.0, 2023-01-02, Fix [#3347](https://github.com/ossrs/srs/issues/3347): Asan: Disable asan for CentOS and use statically link if possible. v5.0.127 * v5.0, 2023-01-02, Fix [#3347](https://github.com/ossrs/srs/issues/3347): Asan: Disable asan for CentOS and use statically link if possible. v5.0.127

2
trunk/src/core/srs_core_version5.hpp
Unescape Escape View File

@ -9,6 +9,6 @@
#define VERSION_MAJOR 5 #define VERSION_MAJOR 5
#define VERSION_MINOR 0 #define VERSION_MINOR 0
#define VERSION_REVISION 129 #define VERSION_REVISION 130
#endif #endif

17
trunk/src/protocol/srs_protocol_http_stack.cpp
Unescape Escape View File

@ -891,10 +891,21 @@ srs_error_t SrsHttpCorsMux::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMessag
// When CORS required, set the CORS headers. // When CORS required, set the CORS headers.
if (required) { if (required) {
SrsHttpHeader* h = w->header(); SrsHttpHeader* h = w->header();
// SRS does not need cookie or credentials, so we disable CORS credentials, and use * for CORS origin,
// headers, expose headers and methods.
h->set("Access-Control-Allow-Origin", "*"); h->set("Access-Control-Allow-Origin", "*");
h->set("Access-Control-Allow-Methods", "GET, POST, HEAD, PUT, DELETE, OPTIONS"); // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
h->set("Access-Control-Expose-Headers", "Server,range,Content-Length,Content-Range"); h->set("Access-Control-Allow-Headers", "*");
h->set("Access-Control-Allow-Headers", "origin,range,accept-encoding,referer,Cache-Control,X-Proxy-Authorization,X-Requested-With,Content-Type"); // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
h->set("Access-Control-Allow-Methods", "*");
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers
// Only the CORS-safelisted response headers are exposed by default. That is Cache-Control, Content-Language,
// Content-Length, Content-Type, Expires, Last-Modified, Pragma.
// See https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_response_header
h->set("Access-Control-Expose-Headers", "*");
// https://stackoverflow.com/a/24689738/17679565
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
h->set("Access-Control-Allow-Credentials", "false");
} }
// handle the http options. // handle the http options.

Write Preview
Loading…
Cancel
Save