Bug 1365662 - Adjust CORS headers to allow BMO integration with SSO
authorEd Morley <emorley@mozilla.com>
Tue, 30 May 2017 18:28:42 +0100
changeset 324 d01ad249565ef16d8516ccf671f0c915e470fc3d
parent 323 98d6754d43f67f927a0bc906aa396548433f739a
child 325 4d7ea7a3deb4d77cd3731dcc00a67a5ee8f4ceb8
push id275
push useremorley@mozilla.com
push dateTue, 30 May 2017 17:32:06 +0000
bugs1365662
Bug 1365662 - Adjust CORS headers to allow BMO integration with SSO The CORS spec forbids using a wildcard when sending credentials, so we have to explicitly whitelist BMO, so that it can pass the SSO cookie when making API calls.
server/handlers.py
--- a/server/handlers.py
+++ b/server/handlers.py
@@ -196,17 +196,18 @@ class WooQuery:
             self['startday'] = startday
             self['endday'] = endday
 
     def GET(self):
         params = urlparse.parse_qs(web.ctx.query[1:], True)
         results = json.dumps(self._GET(params))
         web.header('Content-Length', len(results))
         web.header('Content-Type', 'application/json; charset=utf-8')
-        web.header('Access-Control-Allow-Origin', '*')
+        web.header('Access-Control-Allow-Origin', 'https://bugzilla.mozilla.org')
+        web.header('Access-Control-Allow-Credentials', 'true')
         return results
 
     def getPushesByDate(self, args):
         """Returns the number of pushes per day to the specified trees for a given time range."""
 
         # If no time is specified, it defaults to 00:00:00, so we have to add one
         # day to the endday, to actually include the day specified.
         # The json-pushes date argument strings need to be in UTC.