From f3db87f0a718c9999313bc133b60ff54055ccfba Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Sun, 15 Nov 2015 10:31:45 +1300 Subject: Allow multiple origin domains (fix #1526) --- src/org/traccar/web/BaseServlet.java | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/org/traccar/web/BaseServlet.java b/src/org/traccar/web/BaseServlet.java index c3506693f..283edf1e5 100644 --- a/src/org/traccar/web/BaseServlet.java +++ b/src/org/traccar/web/BaseServlet.java @@ -53,10 +53,17 @@ public abstract class BaseServlet extends HttpServlet { try { resp.setContentType(APPLICATION_JSON); resp.setCharacterEncoding(CharsetUtil.UTF_8.name()); - resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_ORIGIN, - Context.getConfig().getString("web.origin", ALLOW_ORIGIN_VALUE)); resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_HEADERS, ALLOW_HEADERS_VALUE); resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_METHODS, ALLOW_METHODS_VALUE); + + String origin = req.getHeader(HttpHeaders.Names.ORIGIN); + String allowed = Context.getConfig().getString("web.origin"); + if (allowed == null) { + resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_ORIGIN, ALLOW_ORIGIN_VALUE); + } else if (allowed.contains(origin)) { + resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_ORIGIN, origin); + } + if (!handle(getCommand(req), req, resp)) { resp.sendError(HttpServletResponse.SC_BAD_REQUEST); } -- cgit v1.2.3