Yet another fix for credentials CORS

LEARNER-568

Yet another fix for credentials CORS
LEARNER-568
9274647e · Clinton Blackburn · a9bb5336 · 9274647e
Commit 9274647e authored Apr 13, 2017 by Clinton Blackburn
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 6 deletions

playbooks/roles/credentials/templates/edx/app/nginx/sites-available/credentials.j2
+15 -6

No files found.
--- a/playbooks/roles/credentials/templates/edx/app/nginx/sites-available/credentials.j2
+++ b/playbooks/roles/credentials/templates/edx/app/nginx/sites-available/credentials.j2
@@ -15,9 +15,14 @@ upstream credentials_app_server {
 {% endfor %}
 }

-map $http_origin $cors_header {
-  default "";
-  '~*^https?://({{ CREDENTIALS_CORS_ORIGIN_WHITELIST|join('|')|replace('.', '\.') }})' "$http_origin";
+map $http_host $DO_CORS {
+  hostnames;
+
+  default 'false';
+
+{% for host in CREDENTIALS_CORS_ORIGIN_WHITELIST %}
+  {{ host }} 'true';
+{% endfor %}
 }

 server {
@@ -43,10 +48,14 @@ server {
  }

  location ~ ^{{ CREDENTIALS_STATIC_URL }}(?P<file>.*) {
-    if ($request_method = 'OPTIONS') {
-      add_header 'Access-Control-Allow-Origin' "$cors_header" always;
-      add_header 'Access-Control-Allow-Methods' 'GET, POST';
+    if ($DO_CORS = 'true') {
+      add_header 'Access-Control-Allow-Origin' "$http_origin" always;
+      add_header 'Access-Control-Allow-Methods' 'GET';
+      add_header 'Access-Control-Allow-Credentials' 'true' always;
      add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
+    }
+
+    if ($request_method = 'OPTIONS') {
      add_header 'Access-Control-Max-Age' 1728000;
      add_header 'Content-Type' 'text/plain charset=UTF-8';
      add_header 'Content-Length' 0;