-- -- Licensed to the Apache Software Foundation (ASF) under one or more -- contributor license agreements. See the NOTICE file distributed with -- this work for additional information regarding copyright ownership. -- The ASF licenses this file to You under the Apache License, Version 2.0 -- (the "License"); you may not use this file except in compliance with -- the License. You may obtain a copy of the License at -- -- http://www.apache.org/licenses/LICENSE-2.0 -- -- Unless required by applicable law or agreed to in writing, software -- distributed under the License is distributed on an "AS IS" BASIS, -- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -- See the License for the specific language governing permissions and -- limitations under the License. -- --- @module Cors -- Used to set cors headers for preflight and simple requests local _M = {} local request = require 'lib/request' function _M.processCall(resourceConfig) if resourceConfig.cors ~= nil then ngx.var.cors_origins = resourceConfig.cors.origin ngx.var.cors_methods = resourceConfig.cors.methods -- preflight options call if resourceConfig.cors.origin ~= 'false' and ngx.req.get_method() == 'OPTIONS' then -- 'Access-Control-Allow-Headers' response header is required for preflight requests that have 'Access-Control-Request-Headers' headers local accessControlRequestHeaders = ngx.req.get_headers()['Access-Control-Request-Headers'] if accessControlRequestHeaders ~= nil then ngx.header['Access-Control-Allow-Headers'] = accessControlRequestHeaders end request.success(200) end end end function _M.replaceHeaders() if ngx.var.cors_origins ~= nil and ngx.var.cors_origins ~= '' then if ngx.var.cors_origins == 'false' then ngx.header['Access-Control-Allow-Origin'] = nil ngx.header['Access-Control-Allow-Methods'] = nil ngx.header['Access-Control-Allow-Headers'] = nil ngx.header['Access-Control-Allow-Credentials'] = nil ngx.header['Access-Control-Expose-Headers'] = nil ngx.header['Access-Control-Max-Age'] = nil else ngx.header['Access-Control-Allow-Origin'] = ngx.var.cors_origins == 'true' and (ngx.var.http_origin or '*') or ngx.var.cors_origins ngx.header['Access-Control-Allow-Methods'] = ngx.var.cors_methods or 'GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS' ngx.header['Access-Control-Allow-Credentials'] = 'true' end end end return _M