mastodon/config/initializers/cors.rb

# Be sure to restart your server when you modify this file.

# Avoid CORS issues when API is called from the frontend app.
# Handle Cross-Origin Resource Sharing (CORS) in order to accept cross-origin AJAX requests.

# Read more: https://github.com/cyu/rack-cors

Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins '*'

    resource '/.well-known/*',
      headers: :any,
      methods: [:get],
      credentials: false
    resource '/@:username',
      headers: :any,
      methods: [:get],
      credentials: false
    resource '/users/:username',
      headers: :any,
      methods: [:get],
      credentials: false
    resource '/api/*',
      headers: :any,
      methods: [:post, :put, :delete, :get, :patch, :options],
      credentials: false,
      expose: ['Link', 'X-RateLimit-Reset', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-Request-Id']
    resource '/oauth/token',
      headers: :any,
      methods: [:post],
      credentials: false
  end
end
Upgrade Rails to version 5.2.0 (#5898) 2018-04-12 21:45:17 +09:00			`# Be sure to restart your server when you modify this file.`

			`# Avoid CORS issues when API is called from the frontend app.`
			`# Handle Cross-Origin Resource Sharing (CORS) in order to accept cross-origin AJAX requests.`

			`# Read more: https://github.com/cyu/rack-cors`

			`Rails.application.config.middleware.insert_before 0, Rack::Cors do`
			`allow do`
			`origins '*'`

Allow cross-origin requests to /.well-known/* URLs. (#9083) Right now, this includes three endpoints: host-meta, webfinger, and change-password. host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser. change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled. The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery. 2018-10-24 20:13:35 -05:00			`resource '/.well-known/*',`
			`headers: :any,`
			`methods: [:get],`
			`credentials: false`
Upgrade Rails to version 5.2.0 (#5898) 2018-04-12 21:45:17 +09:00			`resource '/@:username',`
			`headers: :any,`
			`methods: [:get],`
			`credentials: false`
Use same CORS policy for /@:username and /users/:username (#9485) Fixes #8189 rack-cors being called before the application router, it does not follow the redirection, and we need a separate rule for /users/:username. 2018-12-10 21:39:47 +01:00			`resource '/users/:username',`
			`headers: :any,`
			`methods: [:get],`
			`credentials: false`
Upgrade Rails to version 5.2.0 (#5898) 2018-04-12 21:45:17 +09:00			`resource '/api/*',`
			`headers: :any,`
			`methods: [:post, :put, :delete, :get, :patch, :options],`
			`credentials: false,`
			`expose: ['Link', 'X-RateLimit-Reset', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-Request-Id']`
			`resource '/oauth/token',`
			`headers: :any,`
			`methods: [:post],`
			`credentials: false`
			`end`
			`end`