From 9fe2c4463cb4a1b5728273ac563cd42708ee41c8 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Fri, 21 Jul 2017 18:45:34 +0200
Subject: [PATCH] Rework the CORS configuration again. Now we can limit the
 origin and maintain all the other settings.

---
 nginx/templates/nginx-cors.conf.j2 | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/nginx/templates/nginx-cors.conf.j2 b/nginx/templates/nginx-cors.conf.j2
index b85d543..05e703d 100644
--- a/nginx/templates/nginx-cors.conf.j2
+++ b/nginx/templates/nginx-cors.conf.j2
@@ -1,20 +1,10 @@
+if ($request_method = 'OPTIONS') {
 {% if nginx_cors_limit_origin %}
-set $cors '';
-if ($http_origin ~* '{{ nginx_cors_acl_origin }}') {
-    set $cors 'true';
-}
-if ($cors = 'true') {
-    add_header 'Access-Control-Allow-Origin' "$http_origin";
+    add_header 'Access-Control-Allow-Origin' "${{ nginx_cors_acl_origin }}";
     add_header 'Access-Control-Allow-Credentials' 'true';
-    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD';
-    add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With';
-}
-if ($request_method = 'OPTIONS') {
-    return 204;
-}
 {% else %}
-if ($request_method = 'OPTIONS') {
     add_header 'Access-Control-Allow-Origin' '*';
+{% endif %}
     add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
     #
     # Custom headers and headers various browsers *should* be OK with but aren't
@@ -29,15 +19,24 @@ if ($request_method = 'OPTIONS') {
     return 204;
 }
 if ($request_method = 'POST') {
+{% if nginx_cors_limit_origin %}
+    add_header 'Access-Control-Allow-Origin' "${{ nginx_cors_acl_origin }}";
+    add_header 'Access-Control-Allow-Credentials' 'true';
+{% else %}
     add_header 'Access-Control-Allow-Origin' '*';
+{% endif %}
     add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
     add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
     add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
 }
 if ($request_method = 'GET') {
+{% if nginx_cors_limit_origin %}
+    add_header 'Access-Control-Allow-Origin' "${{ nginx_cors_acl_origin }}";
+    add_header 'Access-Control-Allow-Credentials' 'true';
+{% else %}
     add_header 'Access-Control-Allow-Origin' '*';
+{% endif %}
     add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
     add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
     add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
 }
-{% endif %}