This diff adds the ability to specify a CORS header for httpd(8) static
content.
All feedback appreciated - Thanks, in advance!
--
Index: usr.sbin/httpd/httpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
retrieving revision 1.121
diff -u -p -u -p -r1.121 httpd.conf.5
--- usr.sbin/httpd/httpd.conf.5 9 Mar 2022 13:50:41 -0000 1.121
+++ usr.sbin/httpd/httpd.conf.5 1 Jul 2022 06:25:18 -0000
@@ -297,6 +297,12 @@ for example the maximum time to wait for
The default timeout is 600 seconds (10 minutes).
The maximum is 2147483647 seconds (68 years).
.El
+.It Ic cors-static Ar option
+Set a Cross-Origin Resource Sharing (CORS)
+.Pa Access-Control-Allow-Origin
+header value.
+.Pp
+The CORS header, if specified, is added for static content only.
.It Ic default type Ar type/subtype
Set the default media type for the specified location,
overwriting the global setting.
Index: usr.sbin/httpd/httpd.h
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
retrieving revision 1.160
diff -u -p -u -p -r1.160 httpd.h
--- usr.sbin/httpd/httpd.h 2 Mar 2022 11:10:43 -0000 1.160
+++ usr.sbin/httpd/httpd.h 1 Jul 2022 06:25:18 -0000
@@ -393,6 +393,7 @@ SPLAY_HEAD(client_tree, client);
#define SRVFLAG_PATH_REWRITE 0x01000000
#define SRVFLAG_NO_PATH_REWRITE 0x02000000
#define SRVFLAG_GZIP_STATIC 0x04000000
+#define SRVFLAG_CORS_STATIC 0x08000000
#define SRVFLAG_LOCATION_FOUND 0x40000000
#define SRVFLAG_LOCATION_NOT_FOUND 0x80000000
@@ -480,6 +481,7 @@ struct server_config {
char root[PATH_MAX];
char path[PATH_MAX];
char index[PATH_MAX];
+ char cors_static[PATH_MAX];
char accesslog[PATH_MAX];
char errorlog[PATH_MAX];
struct media_type default_type;
Index: usr.sbin/httpd/parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
retrieving revision 1.128
diff -u -p -u -p -r1.128 parse.y
--- usr.sbin/httpd/parse.y 27 Feb 2022 20:30:30 -0000 1.128
+++ usr.sbin/httpd/parse.y 1 Jul 2022 06:25:18 -0000
@@ -141,7 +141,7 @@ typedef struct {
%token TIMEOUT TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD
REQUEST
%token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS REWRITE
%token CA CLIENT CRL OPTIONAL PARAM FORWARDED FOUND NOT
-%token ERRDOCS GZIPSTATIC
+%token ERRDOCS GZIPSTATIC CORSSTATIC
%token <v.string> STRING
%token <v.number> NUMBER
%type <v.port> port
@@ -554,6 +554,7 @@ serveroptsl : LISTEN ON STRING opttls po
| fastcgi
| authenticate
| gzip_static
+ | cors_static
| filter
| LOCATION optfound optmatch STRING {
struct server *s;
@@ -1226,6 +1227,27 @@ gzip_static : NO GZIPSTATIC {
}
;
+cors_static : CORSSTATIC corsflags
+ | CORSSTATIC '{' optnl corsflags_l '}'
+ ;
+
+corsflags_l : corsflags optcommanl corsflags_l
+ | corsflags optnl
+ ;
+
+corsflags : STRING {
+ if (strlcpy(srv->srv_conf.cors_static, $1,
+ sizeof(srv->srv_conf.cors_static)) >=
+ sizeof(srv->srv_conf.cors_static)) {
+ yyerror("cors value too long");
+ free($1);
+ YYERROR;
+ }
+ free($1);
+ srv->srv_conf.flags |= SRVFLAG_CORS_STATIC;
+ }
+ ;
+
tcpip : TCP '{' optnl tcpflags_l '}'
| TCP tcpflags
;
@@ -1439,6 +1461,7 @@ lookup(char *s)
{ "combined", COMBINED },
{ "common", COMMON },
{ "connection", CONNECTION },
+ { "cors-static", CORSSTATIC },
{ "crl", CRL },
{ "default", DEFAULT },
{ "dhe", DHE },
Index: usr.sbin/httpd/server_file.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_file.c,v
retrieving revision 1.74
diff -u -p -u -p -r1.74 server_file.c
--- usr.sbin/httpd/server_file.c 4 Mar 2022 01:46:07 -0000 1.74
+++ usr.sbin/httpd/server_file.c 1 Jul 2022 06:25:18 -0000
@@ -269,6 +269,12 @@ server_file_request(struct httpd *env, s
}
}
+ if (srv_conf->flags & SRVFLAG_CORS_STATIC) {
+ struct http_descriptor *resp = clt->clt_descresp;
+ kv_add(&resp->http_headers,
+ "Access-Control-Allow-Origin", srv_conf->cors_static);
+ }
+
/* Now open the file, should be readable or we have another problem */
if (fd == -1) {
if ((fd = open(path, O_RDONLY)) == -1)
--
David Rinehart
