Committer: vtroitsky
LJSUP-11268: Support Cross-Origin Resource Sharing for LJ XMLRPC API, http://www.w3.org/TR/cors/ U trunk/cgi-bin/Apache/LiveJournal.pm
Modified: trunk/cgi-bin/Apache/LiveJournal.pm =================================================================== --- trunk/cgi-bin/Apache/LiveJournal.pm 2012-02-21 11:19:23 UTC (rev 21226) +++ trunk/cgi-bin/Apache/LiveJournal.pm 2012-02-21 13:50:45 UTC (rev 21227) @@ -309,6 +309,17 @@ LJ::Request->init($r); } + # Move the following into the special OPTIONS Handler in case of appearence more OPTIONS stuff + if (LJ::Request->method_number == LJ::Request->M_OPTIONS && LJ::Request->uri =~ m!^/interface/xmlrpc! ) { + if (LJ::Request->header_in('Origin') && LJ::Request->header_in('Access-Control-Request-Method') && LJ::Request->header_in('Access-Control-Request-Headers')) { + # response to preflight request, see http://www.w3.org/TR/cors/ + LJ::Request->header_out('Access-Control-Allow-Origin' => '*'); + LJ::Request->header_out('Access-Control-Allow-Methods' => 'POST'); + LJ::Request->header_out('Access-Control-Allow-Headers' => LJ::Request->header_in('Access-Control-Request-Headers') || 'origin, content-type'); + } + return LJ::Request::DECLINED; + } + # don't deal with subrequests or OPTIONS return LJ::Request::DECLINED if ! LJ::Request->is_main || LJ::Request->method_number == LJ::Request->M_OPTIONS; @@ -2197,6 +2208,7 @@ if ($RQ{'interface'} eq "xmlrpc") { return LJ::Request::NOT_FOUND unless LJ::ModuleCheck->have('XMLRPC::Transport::HTTP'); + LJ::Request->header_out("Access-Control-Allow-Origin",'*') if(LJ::Request->header_in('Origin')); my $server = XMLRPC::Transport::HTTP::Apache -> on_action(sub { die "Access denied\n" if $_[2] =~ /:|\'/ }) -> dispatch_to('LJ::XMLRPC')