diff --git a/actions/hostmeta.php b/actions/hostmeta.php index 79ab2e0d9c..98c8a33ac9 100644 --- a/actions/hostmeta.php +++ b/actions/hostmeta.php @@ -59,7 +59,10 @@ class HostMetaAction extends Action Event::handle('EndHostMetaLinks', array(&$xrd->links)); } - header('Access-Control-Allow-Origin: *'); + global $config; + if($config['site']['cors'] === true){ + header('Access-Control-Allow-Origin: *'); + } header('Content-type: application/xrd+xml'); print $xrd->toXML(); } diff --git a/actions/userxrd.php b/actions/userxrd.php index 4851b0731c..e119d69436 100644 --- a/actions/userxrd.php +++ b/actions/userxrd.php @@ -30,7 +30,10 @@ class UserxrdAction extends XrdAction function prepare($args) { parent::prepare($args); - header('Access-Control-Allow-Origin: *'); + global $config; + if($config['site']['cors'] === true){ + header('Access-Control-Allow-Origin: *'); + } $this->uri = $this->trimmed('uri'); $this->uri = self::normalize($this->uri); diff --git a/config.php.sample b/config.php.sample index 5481ca539e..8389c33318 100644 --- a/config.php.sample +++ b/config.php.sample @@ -40,6 +40,8 @@ $config['site']['path'] = 'statusnet'; // $config['site']['inviteonly'] = true; // Make the site invisible to non-logged-in users // $config['site']['private'] = true; +// Allow Cross-Origin Resource Sharing +// $config['site']['cors'] = true; // If your web server supports X-Sendfile (Apache with mod_xsendfile, // lighttpd, nginx), you can enable X-Sendfile support for better diff --git a/lib/default.php b/lib/default.php index c1dfcbc87d..847610aea9 100644 --- a/lib/default.php +++ b/lib/default.php @@ -61,6 +61,7 @@ $default = 'textlimit' => 140, 'indent' => true, 'use_x_sendfile' => false, + 'cors' => true, 'notice' => null, // site wide notice text 'build' => 1, // build number, for code-dependent cache ),