From f3db87f0a718c9999313bc133b60ff54055ccfba Mon Sep 17 00:00:00 2001
From: Anton Tananaev <anton.tananaev@gmail.com>
Date: Sun, 15 Nov 2015 10:31:45 +1300
Subject: Allow multiple origin domains (fix #1526)

---
 src/org/traccar/web/BaseServlet.java | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/org/traccar/web/BaseServlet.java b/src/org/traccar/web/BaseServlet.java
index c3506693f..283edf1e5 100644
--- a/src/org/traccar/web/BaseServlet.java
+++ b/src/org/traccar/web/BaseServlet.java
@@ -53,10 +53,17 @@ public abstract class BaseServlet extends HttpServlet {
         try {
             resp.setContentType(APPLICATION_JSON);
             resp.setCharacterEncoding(CharsetUtil.UTF_8.name());
-            resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_ORIGIN,
-                    Context.getConfig().getString("web.origin", ALLOW_ORIGIN_VALUE));
             resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_HEADERS, ALLOW_HEADERS_VALUE);
             resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_METHODS, ALLOW_METHODS_VALUE);
+
+            String origin = req.getHeader(HttpHeaders.Names.ORIGIN);
+            String allowed = Context.getConfig().getString("web.origin");
+            if (allowed == null) {
+                resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_ORIGIN, ALLOW_ORIGIN_VALUE);
+            } else if (allowed.contains(origin)) {
+                resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
+            }
+
             if (!handle(getCommand(req), req, resp)) {
                 resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
             }
-- 
cgit v1.2.3