From e39016ad35bba6d8df0d4a4b69ddaf3b1a940a67 Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Thu, 9 Jan 2014 20:50:52 -1000 Subject: [PATCH] Add CORS header to allow any origin. We don't need CORS protection because we don't use cookies at all (so a different origin cant exploit cookie saving to steal our session). --- .../textsecuregcm/WhisperServerService.java | 5 +++ .../textsecuregcm/util/CORSHeaderFilter.java | 41 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 src/main/java/org/whispersystems/textsecuregcm/util/CORSHeaderFilter.java diff --git a/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java b/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java index eb39f035c..88a3e9007 100644 --- a/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java +++ b/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java @@ -20,6 +20,7 @@ import com.google.common.base.Optional; import com.yammer.dropwizard.Service; import com.yammer.dropwizard.config.Bootstrap; import com.yammer.dropwizard.config.Environment; +import com.yammer.dropwizard.config.FilterBuilder; import com.yammer.dropwizard.db.DatabaseConfiguration; import com.yammer.dropwizard.jdbi.DBIFactory; import com.yammer.dropwizard.migrations.MigrationsBundle; @@ -62,9 +63,11 @@ import org.whispersystems.textsecuregcm.storage.PendingDeviceRegistrations; import org.whispersystems.textsecuregcm.storage.PendingDevicesManager; import org.whispersystems.textsecuregcm.storage.StoredMessageManager; import org.whispersystems.textsecuregcm.storage.StoredMessages; +import org.whispersystems.textsecuregcm.util.CORSHeaderFilter; import org.whispersystems.textsecuregcm.util.UrlSigner; import org.whispersystems.textsecuregcm.workers.DirectoryCommand; +import java.io.IOException; import java.security.Security; import java.util.concurrent.TimeUnit; @@ -143,6 +146,8 @@ public class WhisperServerService extends Service { environment.addProvider(new IOExceptionMapper()); environment.addProvider(new RateLimitExceededExceptionMapper()); + environment.addFilter(new CORSHeaderFilter(), "/*"); + if (config.getGraphiteConfiguration().isEnabled()) { GraphiteReporter.enable(15, TimeUnit.SECONDS, config.getGraphiteConfiguration().getHost(), diff --git a/src/main/java/org/whispersystems/textsecuregcm/util/CORSHeaderFilter.java b/src/main/java/org/whispersystems/textsecuregcm/util/CORSHeaderFilter.java new file mode 100644 index 000000000..e193dd755 --- /dev/null +++ b/src/main/java/org/whispersystems/textsecuregcm/util/CORSHeaderFilter.java @@ -0,0 +1,41 @@ +/** + * Copyright (C) 2014 Open WhisperSystems + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ +package org.whispersystems.textsecuregcm.util; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + +public class CORSHeaderFilter implements Filter { + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + if (response instanceof HttpServletResponse) { + ((HttpServletResponse) response).addHeader("Access-Control-Allow-Origin", "*"); + ((HttpServletResponse) response).addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE"); + ((HttpServletResponse) response).addHeader("Access-Control-Allow-Headers", "Authorization, Content-type"); + } + chain.doFilter(request, response); + } + + @Override public void init(FilterConfig filterConfig) throws ServletException { } + @Override public void destroy() { } +}