From 3b021818504986d66055a22e1e69150c61eff6a0 Mon Sep 17 00:00:00 2001 From: Jochen Topf Date: Thu, 9 Oct 2014 09:33:40 +0200 Subject: Add config setting for CORS header. The response header Access-Control-Allow-Origin was always set to '*' for API URLs. This is creating some problems with Apache (see https://github.com/openstreetmap/iD/issues/2333), so it is now configurable. The value of the new config setting "instance.access_control_allow_origin" is used for that header now, or, if the variable is empty, the header is not set at all. --- taginfo-config-example.json | 7 ++++++- web/taginfo.rb | 5 ++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/taginfo-config-example.json b/taginfo-config-example.json index c2c0264..d72b224 100644 --- a/taginfo-config-example.json +++ b/taginfo-config-example.json @@ -16,7 +16,12 @@ // Contact name and email address. "contact": "Anonymous", // Geographical area this taginfo instance covers. - "area": "World" + "area": "World", + // Add CORS header Access-Control-Allow-Origin with the given value + // to all /api responses. Use "" to not set this header, disallowing + // external services to use your API from a browser. Set to "*" to + // allow anybody. + "access_control_allow_origin": "*" }, // For the geodistribution map. See the wiki documentation about these settings. "geodistribution": { diff --git a/web/taginfo.rb b/web/taginfo.rb index 1ca00fe..dcb3d3e 100755 --- a/web/taginfo.rb +++ b/web/taginfo.rb @@ -138,7 +138,10 @@ class Taginfo < Sinatra::Base before '/api/*' do content_type :json expires next_update - headers['Access-Control-Allow-Origin'] = '*' + cors = TaginfoConfig.get('instance.access_control_allow_origin', '') + if cors != "" + headers['Access-Control-Allow-Origin'] = cors + end begin @ap = APIParameters.new(params) rescue ArgumentError => ex -- cgit v1.2.3