# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1264086472 0
# Node ID cf924f587410d60afcccf8a3d739e888a8525391
# Parent  2f235c57d713c33cd957d54a4741f21031992ed1
mod_bosh: Support for cross-domain access control using CORS

diff -r 2f235c57d713 -r cf924f587410 plugins/mod_bosh.lua
--- a/plugins/mod_bosh.lua	Thu Jan 21 14:53:01 2010 +0000
+++ b/plugins/mod_bosh.lua	Thu Jan 21 15:07:52 2010 +0000
@@ -34,6 +34,23 @@
 local default_headers = { ["Content-Type"] = "text/xml; charset=utf-8" };
 local session_close_reply = { headers = default_headers, body = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate" }), attr = {} };
 
+local http_options, http_denied_options = { headers = {} }, { headers = {} };
+local cross_domain = module:get_option("cross_domain_bosh");
+if cross_domain ~= false then
+	http_options.headers["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS";
+	http_options.headers["Access-Control-Allow-Headers"] = "Content-Type";
+	http_options.headers["Access-Control-Max-Age"] = "86400";
+
+	if cross_domain == true then
+		http_options.headers["Access-Control-Allow-Origin"] = "*";
+	elseif type(cross_domain) == "table" then
+		cross_domain = table.concat(cross_domain, ", ");
+	end
+	if type(cross_domain) == "string" then
+		http_options.headers["Access-Control-Allow-Origin"] = cross_domain;
+	end
+end
+
 local t_insert, t_remove, t_concat = table.insert, table.remove, table.concat;
 local os_time = os.time;
 
@@ -59,9 +76,25 @@
 	end
 end
 
+local function send_options_headers(request)
+	if cross_domain == nil then
+		local host = request.headers.host and request.headers.host:match("^[^:]+");
+		if hosts[host] then
+			http_options.headers["Access-Control-Allow-Origin"] = "http://"..host;
+		else
+			return http_denied_options; -- We don't want to reveal the hosts we serve
+		end
+	end
+	return http_options;
+end
+
 function handle_request(method, body, request)
 	if (not body) or request.method ~= "POST" then
-		return "<html><body>You really don't look like a BOSH client to me... what do you want?</body></html>";
+		if request.method == "OPTIONS" then
+			return send_options_headers(request);
+		else
+			return "<html><body>You really don't look like a BOSH client to me... what do you want?</body></html>";
+		end
 	end
 	if not method then
 		log("debug", "Request %s suffered error %s", tostring(request.id), body);