Clean up CORS implementation

diff --git a/doc/09-object-types.md b/doc/09-object-types.md
index b846964db2d104b18f62bd2182e824b8934a7f61..fadbf8a3380f3399f5e463ca483b88d718eb08dc 100644 (file)
--- a/doc/09-object-types.md
+++ b/doc/09-object-types.md
@@ -64,9 +64,13 @@ Configuration Attributes:
   cipher\_list                          | String                | **Optional.** Cipher list that is allowed. For a list of available ciphers run `openssl ciphers`. Defaults to `ALL:!LOW:!WEAK:!MEDIUM:!EXP:!NULL`.
   tls\_protocolmin                      | String                | **Optional.** Minimum TLS protocol version. Must be one of `TLSv1`, `TLSv1.1` or `TLSv1.2`. Defaults to `TLSv1`.
   access\_control\_allow\_origin        | Array                 | **Optional.** Specifies an array of origin URLs that may access the API. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Origin)
-  access\_control\_allow\_credentials   | Boolean               | **Optional.** Indicates whether or not the actual request can be made using credentials. Defaults to `true`. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Credentials)
-  access\_control\_allow\_headers       | String                | **Optional.** Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request. Defaults to `Authorization`. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Headers)
-  access\_control\_allow\_methods       | String                | **Optional.** Used in response to a preflight request to indicate which HTTP methods can be used when making the actual request. Defaults to `GET, POST, PUT, DELETE`. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Methods)
+  access\_control\_allow\_credentials   | Boolean               | **Deprecated.** Indicates whether or not the actual request can be made using credentials. Defaults to `true`. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Credentials)
+  access\_control\_allow\_headers       | String                | **Deprecated.** Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request. Defaults to `Authorization`. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Headers)
+  access\_control\_allow\_methods       | String                | **Deprecated.** Used in response to a preflight request to indicate which HTTP methods can be used when making the actual request. Defaults to `GET, POST, PUT, DELETE`. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Methods)
+
+The attributes `access_control_allow_credentials`, `access_control_allow_headers` and `access_control_allow_methods`
+are controlled by Icinga 2 and are not changeable by config any more.
+
 
 The ApiListener type expects its certificate files to be in the following locations:
 

diff --git a/lib/remote/apilistener.ti b/lib/remote/apilistener.ti
index 97570f64a2165873bbfbb92f5f665be482b5cff7..e072fcd20ce61fbbbe904f511e2969a46d4737f6 100644 (file)
--- a/lib/remote/apilistener.ti
+++ b/lib/remote/apilistener.ti
@@ -49,21 +49,10 @@ class ApiListener : ConfigObject
 
        [config] String ticket_salt;
 
-       [config] Array::Ptr access_control_allow_origin {
-               default {{{ return new Array(); }}}
-       };
-       [config] bool access_control_allow_credentials
-       {
-               default {{{ return true; }}}
-       };
-       [config] String access_control_allow_headers
-       {
-               default {{{ return "Authorization"; }}}
-       };
-       [config] String access_control_allow_methods
-       {
-               default {{{ return "GET, POST, PUT, DELETE"; }}}
-       };
+       [config] Array::Ptr access_control_allow_origin;
+       [config, deprecated] bool access_control_allow_credentials;
+       [config, deprecated] String access_control_allow_headers;
+       [config, deprecated] String access_control_allow_methods;
 
 
        [state, no_user_modify] Timestamp log_message_timestamp;

diff --git a/lib/remote/httpserverconnection.cpp b/lib/remote/httpserverconnection.cpp
index 53f287a87295688061f22aa8b384e2a6b22df22d..28b43b5f199f878beb2e3aa14ba3cc82480a4768 100644 (file)
--- a/lib/remote/httpserverconnection.cpp
+++ b/lib/remote/httpserverconnection.cpp
@@ -227,16 +227,15 @@ bool HttpServerConnection::ManageHeaders(HttpResponse& response)
                        }
                }
 
-               if (listener->GetAccessControlAllowCredentials())
-                       response.AddHeader("Access-Control-Allow-Credentials", "true");
+               response.AddHeader("Access-Control-Allow-Credentials", "true");
 
                String accessControlRequestMethodHeader = m_CurrentRequest.Headers->Get("access-control-request-method");
 
                if (m_CurrentRequest.RequestMethod == "OPTIONS" && !accessControlRequestMethodHeader.IsEmpty()) {
                        response.SetStatus(200, "OK");
 
-                       response.AddHeader("Access-Control-Allow-Methods", listener->GetAccessControlAllowMethods());
-                       response.AddHeader("Access-Control-Allow-Headers", listener->GetAccessControlAllowHeaders());
+                       response.AddHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
+                       response.AddHeader("Access-Control-Allow-Headers", "Authorization, X-HTTP-Method-Override");
 
                        String msg = "Preflight OK";
                        response.WriteBody(msg.CStr(), msg.GetLength());