[tor-commits] [donate/master] Set allowed origin header for onion hosts

[peterh at torproject.org]

commit 81529a62ee26f07c1fdd1e440bd95873ace6435e
Author: Peter Haight <peterh at giantrabbit.com>
Date:   Wed Dec 23 14:13:24 2020 -0800

    Set allowed origin header for onion hosts
    
    In order to let us use fetch with credentials (to send cookies), the
    allowed origin needs to match the URL for the site using fetch. So if
    the request is coming from an onion URL, then assume it's from the onion
    donate site.
---
 src/AccessControlMiddleware.php | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/AccessControlMiddleware.php b/src/AccessControlMiddleware.php
index d900fa63..b8afeb15 100644
--- a/src/AccessControlMiddleware.php
+++ b/src/AccessControlMiddleware.php
@@ -3,8 +3,19 @@
 namespace Tor;
 
 class AccessControlMiddleware {
+  const ONION_HOST_MAP = [
+    'rjrsgw3y2wzqmnvv.onion' => 'http://gsxohj375bk7gjal.onion', # prod
+    'qbnprwaqyglijwqq.onion' => 'http://y7pm6of53hzeb7u2.onion', # stag
+    'g2xie2z5bp5f6doi.onion' => 'http://y7pm6of53hzeb7u2.onion', # test
+  ];
+
   public function __invoke($request, $response, $next) {
-    $response = $response->withHeader('Access-Control-Allow-Origin', $this->torSiteBaseUrl);
+    $host = reset($request->getHeader('Host'));
+    $allowOriginUrl = $this->torSiteBaseUrl;
+    if (array_key_exists($host, static::ONION_HOST_MAP)) {
+      $allowOriginUrl = static::ONION_HOST_MAP[$host];
+    }
+    $response = $response->withHeader('Access-Control-Allow-Origin', $allowOriginUrl);
     $response = $response->withHeader('Access-Control-Allow-Credentials', 'true');
     $response = $response->withHeader('Access-Control-Allow-Headers', 'Content-Type');
     return $next($request, $response);