Add config setting for CORS header.

The response header Access-Control-Allow-Origin was always set to '*' for API
URLs. This is creating some problems with Apache (see
https://github.com/openstreetmap/iD/issues/2333), so it is now configurable.
The value of the new config setting "instance.access_control_allow_origin" is
used for that header now, or, if the variable is empty, the header is not set
at all.

2 files changed, 10 insertions, 2 deletions

diff --git a/taginfo-config-example.json b/taginfo-config-example.json
index c2c0264..d72b224 100644
--- a/taginfo-config-example.json
+++ b/taginfo-config-example.json
@@ -16,7 +16,12 @@
         // Contact name and email address.
         "contact": "Anonymous",
         // Geographical area this taginfo instance covers.
-        "area": "World"
+        "area": "World",
+        // Add CORS header Access-Control-Allow-Origin with the given value
+        // to all /api responses. Use "" to not set this header, disallowing
+        // external services to use your API from a browser. Set to "*" to
+        // allow anybody.
+        "access_control_allow_origin": "*"
     },
     // For the geodistribution map. See the wiki documentation about these settings.
     "geodistribution": {
diff --git a/web/taginfo.rb b/web/taginfo.rb
index 1ca00fe..dcb3d3e 100755
--- a/web/taginfo.rb
+++ b/web/taginfo.rb
@@ -138,7 +138,10 @@ class Taginfo < Sinatra::Base
     before '/api/*' do
         content_type :json
         expires next_update
-        headers['Access-Control-Allow-Origin'] = '*'
+        cors = TaginfoConfig.get('instance.access_control_allow_origin', '')
+        if cors != ""
+            headers['Access-Control-Allow-Origin'] = cors
+        end
         begin
             @ap = APIParameters.new(params)
         rescue ArgumentError => ex