Add cross-origin access on json interface

doc/chilli.conf

@@ -216,6 +216,12 @@ uamserver https://www.spotcove.net
 # Do not uncomment this tag unless you are an experienced user!
 #uamport 3990
 
+# TAG: alloworigin
+# Add header Access-Control-Allow-Origin on json interface for enable
+# cross-origin HTTP requests.
+#
+#alloworigin "*"
+
 # TAG: uamallowed
 # Comma separated list of domain names, IP addresses or network segments
 # the client can access without first authenticating.

doc/chilli.conf.5.in

@@ -642,6 +642,11 @@ IP address.
 .BI uamuiport " port"
 TCP port to bind to for only serving embedded content.
 
+.TP
+.BI alloworigin " origin"
+Add header Access-Control-Allow-Origin on json interface for enable
+cross-origin HTTP requests (default *)
+
 .TP
 .BI uamallowed " domain"
 Comma separated list of resources the client can access without first

src/cmdline.ggo

@@ -153,6 +153,7 @@ option "uamlogoutip"  - "HTTP Auto-Logout IP Address" string default="1.0.0.0" n
 option "uamaliasip"   - "Special IP Address aliased (redirect) to uamlisten/uamport" string default="1.0.0.1" no
 option "uamaliasname" - "Special simple hostname (no dots) to be resolved to uamaliasip" string no
 option "uamhostname"  - "Special simple hostname (no dots) to be resolved to uamlisten" string no
+option "alloworigin"  - "Allow cross-origin HTTP requests on json interface" string argoptional default="*" no
 
 option "authedallowed" - "Resources exempt from session limitations" string no multiple
 option "uamauthedallowed" - "Use uamallowed as resources exempt from session limitations" flag off

src/main-opt.c

@@ -1398,6 +1398,15 @@ int main(int argc, char **argv) {
   _options.usestatusfile = STRDUP(args_info.usestatusfile_arg);
   _options.uamaliasname = STRDUP(args_info.uamaliasname_arg);
   _options.uamhostname = STRDUP(args_info.uamhostname_arg);
+
+  if (args_info.alloworigin_given)
+#ifdef ENABLE_JSON
+    _options.alloworigin = STRDUP(args_info.alloworigin_arg);
+#endif
+#if(_debug_ && !defined(ENABLE_JSON))
+    syslog(LOG_WARNING, "JSON not implemented. build with --enable-json");
+#endif
+
   _options.binconfig = STRDUP(args_info.bin_arg);
   _options.ethers = STRDUP(args_info.ethers_arg);
 #ifdef ENABLE_IEEE8021Q

src/options.c

@@ -361,6 +361,10 @@ int options_fromfd(int fd, bstring bt) {
   if (!option_s_l(bt, &o.uamaliasname)) return 0;
   if (!option_s_l(bt, &o.uamhostname)) return 0;
 
+#ifdef ENABLE_JSON
+  if (!option_s_l(bt, &o.alloworigin)) return 0;
+#endif
+
 #ifdef ENABLE_REDIRINJECT
   if (!option_s_l(bt, &o.inject)) return 0;
   if (!option_s_l(bt, &o.inject_ext)) return 0;
@@ -561,6 +565,10 @@ int options_save(char *file, bstring bt) {
   if (!option_s_s(bt, &o.uamaliasname)) return 0;
   if (!option_s_s(bt, &o.uamhostname)) return 0;
 
+#ifdef ENABLE_JSON
+  if (!option_s_s(bt, &o.alloworigin)) return 0;
+#endif
+
 #ifdef ENABLE_REDIRINJECT
   if (!option_s_s(bt, &o.inject)) return 0;
   if (!option_s_s(bt, &o.inject_ext)) return 0;

src/options.h

@@ -181,6 +181,10 @@ struct options_t {
   char *uamaliasname;            /* Simple hostname (no dots) DNS name for uamalias */
   char *uamhostname;             /* Simple hostname (no dots) DNS name for uamlisten */
 
+#ifdef ENABLE_JSON
+  char *alloworigin;
+#endif
+
 #ifdef ENABLE_FORCEDNS
   struct in_addr forcedns1_addr;  /* IP address to force DNS to */
   struct in_addr forcedns2_addr;  /* IP address to force DNS to */

src/redir.c

@@ -1403,6 +1403,16 @@ static int redir_json_reply(struct redir_t *redir, int res, struct redir_conn_t
   bassignformat(tmp , "%d", blength(json));
   bconcat(s, tmp);
 
+  if (_options.alloworigin) {
+    if (!strncmp(_options.alloworigin, "*", 1)) {
+      bcatcstr(s, "\r\nAccess-Control-Allow-Origin: *");
+    } else {
+      bassignformat(tmp , "\r\nAccess-Control-Allow-Origin: %s", _options.alloworigin);
+      bconcat(s, tmp);
+      bcatcstr(s, "\r\nVary: Origin");
+    }
+  }
+
   bcatcstr(s, "\r\nContent-Type: ");
   if (tmp->slen) bcatcstr(s, "text/javascript");
   else bcatcstr(s, "application/json");