CORS: Refine HTTP CORS headers. v5.0.130

2 years ago · 3612473516
parent 62963b206f
commit 3612473516
5 changed files with 28 additions and 8 deletions
--- a/trunk/3rdparty/httpx-static/main.go
+++ b/trunk/3rdparty/httpx-static/main.go
@ -412,10 +412,18 @@ func run(ctx context.Context) error {
 		oh.SetHeader(w)

 		if o := r.Header.Get("Origin"); len(o) > 0 {
+			// SRS does not need cookie or credentials, so we disable CORS credentials, and use * for CORS origin,
+			// headers, expose headers and methods.
 			w.Header().Set("Access-Control-Allow-Origin", "*")
-			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, HEAD, PUT, DELETE, OPTIONS")
-			w.Header().Set("Access-Control-Expose-Headers", "Server,range,Content-Length,Content-Range")
-			w.Header().Set("Access-Control-Allow-Headers", "origin,range,accept-encoding,referer,Cache-Control,X-Proxy-Authorization,X-Requested-With,Content-Type")
+			// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
+			w.Header().Set("Access-Control-Allow-Headers", "*")
+			// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
+			w.Header().Set("Access-Control-Allow-Methods", "*")
+			// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers
+			w.Header().Set("Access-Control-Expose-Headers", "*")
+			// https://stackoverflow.com/a/24689738/17679565
+			// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
+			w.Header().Set("Access-Control-Allow-Credentials", "false")
 		}

 		// For matched OPTIONS, directly return without response.
--- a/trunk/3rdparty/httpx-static/version.go
+++ b/trunk/3rdparty/httpx-static/version.go
@ -35,7 +35,7 @@ func VersionMinor() int {
 }

 func VersionRevision() int {
-	return 26
+	return 27
 }

 func Version() string {
--- a/trunk/doc/CHANGELOG.md
+++ b/trunk/doc/CHANGELOG.md
@ -8,6 +8,7 @@ The changelog for SRS.

 ## SRS 5.0 Changelog

+* v5.0, 2023-01-05, CORS: Refine HTTP CORS headers. v5.0.130
 * v5.0, 2023-01-03, Add blackbox test for HLS and MP3 codec. v5.0.129
 * v5.0, 2023-01-02, Merge [#3355](https://github.com/ossrs/srs/pull/3355): Test: Support blackbox test by FFmpeg. v5.0.128
 * v5.0, 2023-01-02, Fix [#3347](https://github.com/ossrs/srs/issues/3347): Asan: Disable asan for CentOS and use statically link if possible. v5.0.127
--- a/trunk/src/core/srs_core_version5.hpp
+++ b/trunk/src/core/srs_core_version5.hpp
@ -9,6 +9,6 @@

 #define VERSION_MAJOR       5
 #define VERSION_MINOR       0
-#define VERSION_REVISION    129
+#define VERSION_REVISION    130

 #endif
--- a/trunk/src/protocol/srs_protocol_http_stack.cpp
+++ b/trunk/src/protocol/srs_protocol_http_stack.cpp
@ -891,10 +891,21 @@ srs_error_t SrsHttpCorsMux::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMessag
    // When CORS required, set the CORS headers.
    if (required) {
        SrsHttpHeader* h = w->header();
+        // SRS does not need cookie or credentials, so we disable CORS credentials, and use * for CORS origin,
+        // headers, expose headers and methods.
        h->set("Access-Control-Allow-Origin", "*");
-        h->set("Access-Control-Allow-Methods", "GET, POST, HEAD, PUT, DELETE, OPTIONS");
-        h->set("Access-Control-Expose-Headers", "Server,range,Content-Length,Content-Range");
-        h->set("Access-Control-Allow-Headers", "origin,range,accept-encoding,referer,Cache-Control,X-Proxy-Authorization,X-Requested-With,Content-Type");
+        // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
+        h->set("Access-Control-Allow-Headers", "*");
+        // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
+        h->set("Access-Control-Allow-Methods", "*");
+        // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers
+        // Only the CORS-safelisted response headers are exposed by default. That is Cache-Control, Content-Language,
+        // Content-Length, Content-Type, Expires, Last-Modified, Pragma.
+        // See https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_response_header
+        h->set("Access-Control-Expose-Headers", "*");
+        // https://stackoverflow.com/a/24689738/17679565
+        // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
+        h->set("Access-Control-Allow-Credentials", "false");
    }
    
    // handle the http options.