From 967a47e5129ff0d14e1f43d618843f8f638f82c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Bournhonesque?= Date: Tue, 22 Oct 2024 14:21:10 +0200 Subject: [PATCH] fix: allow CORS requests for product image move (#10920) It's required by Nutripatrol to perform image deletion from nutripatrol.openfoodfacts.org @Valimp FYI --- cgi/product_image_move.pl | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/cgi/product_image_move.pl b/cgi/product_image_move.pl index 0508a351497d5..cd2e0f951de7f 100644 --- a/cgi/product_image_move.pl +++ b/cgi/product_image_move.pl @@ -28,12 +28,14 @@ use ProductOpener::Store qw/:all/; use ProductOpener::Index qw/:all/; use ProductOpener::Display qw/:all/; +use ProductOpener::HTTP qw/write_cors_headers/; use ProductOpener::Lang qw/$lc/; use ProductOpener::Tags qw/:all/; use ProductOpener::Users qw/$Org_id $Owner_id $User_id %User/; use ProductOpener::Images qw/process_image_move/; use ProductOpener::Products qw/:all/; +use Apache2::Const -compile => qw(M_OPTIONS); use CGI qw/:cgi :form escapeHTML/; use URI::Escape::XS; use Storable qw/dclone/; @@ -76,6 +78,18 @@ $log->debug("parsing code", {user => $User_id, code => $code, cc => $request_ref->{cc}, lc => $lc, ip => remote_addr()}) if $log->is_debug(); +# Add a CORS header to allow cross-domain requests (especially from Nutripatrol) +my $r = Apache2::RequestUtil->request(); +# We need to allows credentials (cookies) to authenticate the user +my $allow_credentials = 1; +my $sub_domain_only = 1; +write_cors_headers($allow_credentials, $sub_domain_only); + +# If the requests is an OPTIONS request, we return the headers and exit +if ($r->method_number == Apache2::Const::M_OPTIONS) { + exit(0); +} + if ((not defined $code) or ($code eq '')) { $log->warn("no code");