-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow to configure "allowed domains" for CORS on DAV #40537
base: master
Are you sure you want to change the base?
Commits on Sep 20, 2023
-
Enabled CORS on webdav and ocs
* Exclude DAV CORS handling when no Origin specified This will exclude non-browser clients from CORS handling. Fixes some clients like davfs which break when CORS is enabled. * fix: CORS on WebDAV is not working WebDAV is not working at all when used by on browser Javascript because the CORS headers are only present in the OPTION request, but not in the subsequent WebDAV methods. * This behavior is caused by a erroneous json_decode call while retriving the user's domains whitelist. It return an object, so the is_array always fails and no header are sent. * Add Access-Control-Expose-Headers - to allow clients to access certain headers * Adding many headers as allowed headers + add capability to read additional allowed headers from config.php
Configuration menu - View commit details
-
Copy full SHA for c1fa640 - Browse repository at this point
Copy the full SHA c1fa640View commit details -
Removed beforeController Logic
I removed the beforeController logic here due to the change of handling CORS since PR 28457[1] According to previous implementation, CORS was only allowed with methods that had @publicpage notation for preventing CSRF attacks. But in the latest PR by me, the current implementations is as follows: * maintain a white-list of domains for whom CORS is enabled * This list can be viewed and edited under settings -> personal -> security This implementation removes the need for `@PublicPage`[2]. [1] owncloud/core#28457 [2] owncloud/core#28864
Configuration menu - View commit details
-
Copy full SHA for 0cb950e - Browse repository at this point
Copy the full SHA 0cb950eView commit details -
fix: Make CORS handling admin configurable and fix tests
Also make sure to only return allowed methods for DAV responses Signed-off-by: Ferdinand Thiessen <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e608e5d - Browse repository at this point
Copy the full SHA e608e5dView commit details -
feat: Implement settings frontend for allowed CORS domains
Signed-off-by: Ferdinand Thiessen <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 33ae58e - Browse repository at this point
Copy the full SHA 33ae58eView commit details -
Signed-off-by: Ferdinand Thiessen <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for bcfaa85 - Browse repository at this point
Copy the full SHA bcfaa85View commit details -
fix: Resolve some psalm issues
Signed-off-by: Ferdinand Thiessen <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d00b9cd - Browse repository at this point
Copy the full SHA d00b9cdView commit details