From 234e471289e7556b0a9f70a01ceefc5814396f9f Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sun, 11 Nov 2018 05:40:55 +0000 Subject: [PATCH 1/2] config: properly configure CORSPlug. --- config/config.exs | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/config/config.exs b/config/config.exs index a6be69620..e82c490e3 100644 --- a/config/config.exs +++ b/config/config.exs @@ -176,6 +176,20 @@ limit: 23, web: "https://vinayaka.distsn.org/?{{host}}+{{user}}" +config :cors_plug, + max_age: 86_400, + methods: ["POST", "PUT", "DELETE", "GET", "PATCH", "OPTIONS"], + expose: [ + "Link", + "X-RateLimit-Reset", + "X-RateLimit-Limit", + "X-RateLimit-Remaining", + "X-Request-Id", + "Idempotency-Key" + ], + credentials: true, + headers: ["Authorization", "Content-Type", "Idempotency-Key"] + # Import environment specific config. This must remain at the bottom # of this file so it overrides the configuration defined above. import_config "#{Mix.env()}.exs" From fd918863aa842fda58c620434e3b1f15d510cb53 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sun, 11 Nov 2018 05:42:30 +0000 Subject: [PATCH 2/2] nginx example config: remove CORS headers, now managed by CORSPlug. --- installation/pleroma.nginx | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index 65a3cdb4c..9b7419497 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -60,16 +60,6 @@ server { client_max_body_size 16m; location / { - # if you do not want remote frontends to be able to access your Pleroma backend - # server, remove these lines. - add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; - add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; - add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; - if ($request_method = OPTIONS) { - return 204; - } - # stop removing lines here. - add_header X-XSS-Protection "1; mode=block" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Frame-Options "DENY" always;