X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/77519738715b21fbb4ea384c9b56ccc2d9fb4687..2a44ff581f4c547a3637ea52567a3398b1d8bfe0:/config/initializers/cors.rb?ds=inline diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb index 6fbeb9161..2bd558d2f 100644 --- a/config/initializers/cors.rb +++ b/config/initializers/cors.rb @@ -1,13 +1,30 @@ require "rack/cors" +# Mark CORS responses as uncacheable as we don't want a browser to +# try and reuse a response that had a different origin, even with +# revalidation, as the origin check will fail. +module OpenStreetMap + class Cors < Rack::Cors + def call(env) + status, headers, body = super env + headers["Cache-Control"] = "no-cache" if headers["Access-Control-Allow-Origin"] + [status, headers, body] + end + end +end + # Allow any and all cross-origin requests to the API. Allow any origin, and # any headers. Non-browser requests do not have origin or header restrictions, # so browser-requests should be similarly permitted. (Though the API does not # require any custom headers, Ajax frameworks may automatically add headers # such as X-Requested-By to requests.) -Rails.configuration.middleware.use Rack::Cors do +Rails.configuration.middleware.use OpenStreetMap::Cors do allow do origins "*" + resource "/oauth/*", :headers => :any, :methods => [:get, :post] resource "/api/*", :headers => :any, :methods => [:get, :post, :put, :delete] + resource "/diary/rss", :headers => :any, :methods => [:get] + resource "/diary/*/rss", :headers => :any, :methods => [:get] + resource "/user/*/diary/rss", :headers => :any, :methods => [:get] end end