From 651a9d30ce7c16a2a13d060b2fdd483c5af32cc0 Mon Sep 17 00:00:00 2001 From: Jon Nordby Date: Sat, 7 Jun 2014 01:04:32 +0200 Subject: [PATCH] API: Only allow cross-origin requests if explicitly enabled To enable, set the key "allowCrossOrigin" under "api" in config.yml No user interface for this option yet --- src/octoprint/server/api/__init__.py | 11 ++++++----- src/octoprint/settings.py | 3 ++- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/src/octoprint/server/api/__init__.py b/src/octoprint/server/api/__init__.py index c384b56c..ccfa1590 100644 --- a/src/octoprint/server/api/__init__.py +++ b/src/octoprint/server/api/__init__.py @@ -63,7 +63,7 @@ def beforeApiRequests(): the request. """ - if request.method == 'OPTIONS': + if request.method == 'OPTIONS' and s().getBoolean(["api", "allowCrossOrigin"]): return optionsAllowOrigin(request) apikey = getApiKey(request) @@ -93,13 +93,14 @@ def beforeApiRequests(): @api.after_request def afterApiRequests(resp): - """""" + """""" # Allow crossdomain - if request.method != 'OPTIONS' and 'Origin' in request.headers: - resp.headers['Access-Control-Allow-Origin'] = request.headers['Origin'] + allowCrossOrigin = s().getBoolean(["api", "allowCrossOrigin"]) + if request.method != 'OPTIONS' and 'Origin' in request.headers and allowCrossOrigin: + resp.headers['Access-Control-Allow-Origin'] = request.headers['Origin'] - return resp + return resp #~~ first run setup diff --git a/src/octoprint/settings.py b/src/octoprint/settings.py index 54285cb3..d599791e 100644 --- a/src/octoprint/settings.py +++ b/src/octoprint/settings.py @@ -131,7 +131,8 @@ default_settings = { }, "api": { "enabled": False, - "key": ''.join('%02X' % ord(z) for z in uuid.uuid4().bytes) + "key": ''.join('%02X' % ord(z) for z in uuid.uuid4().bytes), + "allowCrossOrigin": False }, "terminalFilters": [ { "name": "Suppress M105 requests/responses", "regex": "(Send: M105)|(Recv: ok T\d*:)" },