allow CORS domains to be configured from settings.py

Rather than hard-coding the list of allowed domains for CORS requests, allow settings.py to specify the allowed list of domains in an allowed_domains variable. This can either be a compiled regex or a string.
asrashley · Jun 23, 2022 · 34c45cb · 34c45cb
1 parent 567ec30
commit 34c45cb
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -15,14 +15,20 @@ A settings.py needs to be created that contains
 
     from utils import on_production_server
 
-    cookie_secret='arandomstring'
+    cookie_secret = 'arandomstring'
     csrf_secret = 'arandomstring'
-    DEBUG=not on_production_server
+    DEBUG = not on_production_server
+    allowed_domains = "*"
 
 The cookie_secret and csrf_secret variables need to contain a randomly
 generated block of ascii characters. There is a gen_settings.py script
 that can be used to auto-generate settings.py
 
+The `allowed_domains` setting is optional. If it is missing, a default
+list of domains that supports common JavaScript DASH libraries will be
+used. An `allowed_domains` value of "*" tells the server to allow any
+request from any domain.
+
 ### Running development server directly on the host machine
 Install the Python 2 Google App Engine (GAE)
 

diff --git a/gen-settings.py b/gen-settings.py
@@ -6,6 +6,7 @@
 cookie_secret = r'{cookie}'
 csrf_secret = r'{csrf}'
 DEBUG = not on_production_server
+allowed_domains = "*"
 """
 
 cookie = []

diff --git a/src/views.py b/src/views.py
@@ -99,7 +99,7 @@ class RequestHandler(webapp2.RequestHandler):
     CSRF_EXPIRY = 1200
     CSRF_KEY_LENGTH = 32
     CSRF_SALT_LENGTH = 8
-    ALLOWED_DOMAINS = re.compile(
+    DEFAULT_ALLOWED_DOMAINS = re.compile(
         r'^http://(dashif\.org)|(shaka-player-demo\.appspot\.com)|(mediapm\.edgesuite\.net)')
     DEFAULT_TIMESHIFT_BUFFER_DEPTH = 60
     INJECTED_ERROR_CODES = [404, 410, 503, 504]
@@ -672,12 +672,18 @@ def dict_to_cgi_params(params):
         return ''
 
     def add_allowed_origins(self):
+        allowed_domains = getattr(settings, 'allowed_domains', self.DEFAULT_ALLOWED_DOMAINS)
+        if allowed_domains == "*":
+            self.response.headers.add_header("Access-Control-Allow-Origin", "*")
+            self.response.headers.add_header("Access-Control-Allow-Methods", "HEAD, GET, POST")
+            return
         try:
-            if self.ALLOWED_DOMAINS.search(self.request.headers['Origin']):
-                self.response.headers.add_header(
-                    "Access-Control-Allow-Origin", self.request.headers['Origin'])
-                self.response.headers.add_header(
-                    "Access-Control-Allow-Methods", "HEAD, GET, POST")
+            if isinstance(allowed_domains, str):
+                allowed_domains = re.compile(allowed_domains)
+            if allowed_domains.search(self.request.headers['Origin']):
+                self.response.headers.add_header("Access-Control-Allow-Origin",
+                                                 self.request.headers['Origin'])
+                self.response.headers.add_header("Access-Control-Allow-Methods", "HEAD, GET, POST")
         except KeyError:
             pass