Add CORS header to allow any origin.

We don't need CORS protection because we don't use cookies at all (so a different origin cant exploit cookie saving to steal our session).
2026-04-25 10:58:40 +01:00 · 2014-01-09 20:50:52 -10:00
parent 8c74ad073b
commit e39016ad35
2 changed files with 46 additions and 0 deletions
--- a/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
+++ b/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
@@ -20,6 +20,7 @@ import com.google.common.base.Optional;
 import com.yammer.dropwizard.Service;
 import com.yammer.dropwizard.config.Bootstrap;
 import com.yammer.dropwizard.config.Environment;
+import com.yammer.dropwizard.config.FilterBuilder;
 import com.yammer.dropwizard.db.DatabaseConfiguration;
 import com.yammer.dropwizard.jdbi.DBIFactory;
 import com.yammer.dropwizard.migrations.MigrationsBundle;
@@ -62,9 +63,11 @@ import org.whispersystems.textsecuregcm.storage.PendingDeviceRegistrations;
 import org.whispersystems.textsecuregcm.storage.PendingDevicesManager;
 import org.whispersystems.textsecuregcm.storage.StoredMessageManager;
 import org.whispersystems.textsecuregcm.storage.StoredMessages;
+import org.whispersystems.textsecuregcm.util.CORSHeaderFilter;
 import org.whispersystems.textsecuregcm.util.UrlSigner;
 import org.whispersystems.textsecuregcm.workers.DirectoryCommand;

+import java.io.IOException;
 import java.security.Security;
 import java.util.concurrent.TimeUnit;

@@ -143,6 +146,8 @@ public class WhisperServerService extends Service<WhisperServerConfiguration> {
    environment.addProvider(new IOExceptionMapper());
    environment.addProvider(new RateLimitExceededExceptionMapper());

+    environment.addFilter(new CORSHeaderFilter(), "/*");
+
    if (config.getGraphiteConfiguration().isEnabled()) {
      GraphiteReporter.enable(15, TimeUnit.SECONDS,
                              config.getGraphiteConfiguration().getHost(),