diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2024-07-28 14:19:40 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2024-07-28 14:19:40 +0200 |
| commit | 47a3e15edc2a2e9d76a3374a2f5ed7197b2aedea (patch) | |
| tree | b0ff5ae7b8b3d81d934bd0147f1f92ed8782be4d /p/api | |
| parent | 5267db88abf7c8546e8ba47c6d4acfd362a82e1d (diff) | |
Add default API CORS HTTP Headers (#6659)
* Add default API CORS HTTP Headers
To allow interacting with our APIs from a JavaScript application.
So far limited to the APIs: Greader, User queries
Fix https://github.com/FreshRSS/FreshRSS/discussions/6654#discussioncomment-10131144
* Early abort for OPTIONS requests
* Move a bit OPTIONS test
* No content!
* More cleaning
Diffstat (limited to 'p/api')
| -rw-r--r-- | p/api/greader.php | 14 | ||||
| -rw-r--r-- | p/api/query.php | 9 |
2 files changed, 23 insertions, 0 deletions
diff --git a/p/api/greader.php b/p/api/greader.php index 9c3479546..a19512cfd 100644 --- a/p/api/greader.php +++ b/p/api/greader.php @@ -113,6 +113,12 @@ function debugInfo(): string { final class GReaderAPI { /** @return never */ + private static function noContent() { + header('HTTP/1.1 204 No Content'); + exit(); + } + + /** @return never */ private static function badRequest() { Minz_Log::warning(__METHOD__, API_LOG); Minz_Log::debug(__METHOD__ . ' ' . debugInfo(), API_LOG); @@ -987,6 +993,14 @@ final class GReaderAPI { public static function parse() { global $ORIGINAL_INPUT; + header('Access-Control-Allow-Headers: Authorization'); + header('Access-Control-Allow-Methods: GET, POST'); + header('Access-Control-Allow-Origin: *'); + header('Access-Control-Max-Age: 600'); + if (($_SERVER['REQUEST_METHOD'] ?? '') === 'OPTIONS') { + self::noContent(); + } + $pathInfo = ''; if (empty($_SERVER['PATH_INFO'])) { if (!empty($_SERVER['ORIG_PATH_INFO'])) { diff --git a/p/api/query.php b/p/api/query.php index 8fe3c44b0..fff48503e 100644 --- a/p/api/query.php +++ b/p/api/query.php @@ -159,6 +159,15 @@ if ($query->getName() != '') { } FreshRSS_Context::systemConf()->allow_anonymous = true; +header('Access-Control-Allow-Methods: GET'); +header('Access-Control-Allow-Origin: *'); +header('Access-Control-Max-Age: 600'); +header('Cache-Control: public, max-age=60'); +if (($_SERVER['REQUEST_METHOD'] ?? '') === 'OPTIONS') { + header('HTTP/1.1 204 No Content'); + exit(); +} + if (in_array($format, ['rss', 'atom'], true)) { header('Content-Type: application/rss+xml; charset=utf-8'); $view->_layout(null); |