This diff adds the ability to specify a CORS header for httpd(8) static content.
All feedback appreciated - Thanks, in advance! -- Index: usr.sbin/httpd/httpd.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v retrieving revision 1.121 diff -u -p -u -p -r1.121 httpd.conf.5 --- usr.sbin/httpd/httpd.conf.5 9 Mar 2022 13:50:41 -0000 1.121 +++ usr.sbin/httpd/httpd.conf.5 1 Jul 2022 06:25:18 -0000 @@ -297,6 +297,12 @@ for example the maximum time to wait for The default timeout is 600 seconds (10 minutes). The maximum is 2147483647 seconds (68 years). .El +.It Ic cors-static Ar option +Set a Cross-Origin Resource Sharing (CORS) +.Pa Access-Control-Allow-Origin +header value. +.Pp +The CORS header, if specified, is added for static content only. .It Ic default type Ar type/subtype Set the default media type for the specified location, overwriting the global setting. Index: usr.sbin/httpd/httpd.h =================================================================== RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v retrieving revision 1.160 diff -u -p -u -p -r1.160 httpd.h --- usr.sbin/httpd/httpd.h 2 Mar 2022 11:10:43 -0000 1.160 +++ usr.sbin/httpd/httpd.h 1 Jul 2022 06:25:18 -0000 @@ -393,6 +393,7 @@ SPLAY_HEAD(client_tree, client); #define SRVFLAG_PATH_REWRITE 0x01000000 #define SRVFLAG_NO_PATH_REWRITE 0x02000000 #define SRVFLAG_GZIP_STATIC 0x04000000 +#define SRVFLAG_CORS_STATIC 0x08000000 #define SRVFLAG_LOCATION_FOUND 0x40000000 #define SRVFLAG_LOCATION_NOT_FOUND 0x80000000 @@ -480,6 +481,7 @@ struct server_config { char root[PATH_MAX]; char path[PATH_MAX]; char index[PATH_MAX]; + char cors_static[PATH_MAX]; char accesslog[PATH_MAX]; char errorlog[PATH_MAX]; struct media_type default_type; Index: usr.sbin/httpd/parse.y =================================================================== RCS file: /cvs/src/usr.sbin/httpd/parse.y,v retrieving revision 1.128 diff -u -p -u -p -r1.128 parse.y --- usr.sbin/httpd/parse.y 27 Feb 2022 20:30:30 -0000 1.128 +++ usr.sbin/httpd/parse.y 1 Jul 2022 06:25:18 -0000 @@ -141,7 +141,7 @@ typedef struct { %token TIMEOUT TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD REQUEST %token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS REWRITE %token CA CLIENT CRL OPTIONAL PARAM FORWARDED FOUND NOT -%token ERRDOCS GZIPSTATIC +%token ERRDOCS GZIPSTATIC CORSSTATIC %token <v.string> STRING %token <v.number> NUMBER %type <v.port> port @@ -554,6 +554,7 @@ serveroptsl : LISTEN ON STRING opttls po | fastcgi | authenticate | gzip_static + | cors_static | filter | LOCATION optfound optmatch STRING { struct server *s; @@ -1226,6 +1227,27 @@ gzip_static : NO GZIPSTATIC { } ; +cors_static : CORSSTATIC corsflags + | CORSSTATIC '{' optnl corsflags_l '}' + ; + +corsflags_l : corsflags optcommanl corsflags_l + | corsflags optnl + ; + +corsflags : STRING { + if (strlcpy(srv->srv_conf.cors_static, $1, + sizeof(srv->srv_conf.cors_static)) >= + sizeof(srv->srv_conf.cors_static)) { + yyerror("cors value too long"); + free($1); + YYERROR; + } + free($1); + srv->srv_conf.flags |= SRVFLAG_CORS_STATIC; + } + ; + tcpip : TCP '{' optnl tcpflags_l '}' | TCP tcpflags ; @@ -1439,6 +1461,7 @@ lookup(char *s) { "combined", COMBINED }, { "common", COMMON }, { "connection", CONNECTION }, + { "cors-static", CORSSTATIC }, { "crl", CRL }, { "default", DEFAULT }, { "dhe", DHE }, Index: usr.sbin/httpd/server_file.c =================================================================== RCS file: /cvs/src/usr.sbin/httpd/server_file.c,v retrieving revision 1.74 diff -u -p -u -p -r1.74 server_file.c --- usr.sbin/httpd/server_file.c 4 Mar 2022 01:46:07 -0000 1.74 +++ usr.sbin/httpd/server_file.c 1 Jul 2022 06:25:18 -0000 @@ -269,6 +269,12 @@ server_file_request(struct httpd *env, s } } + if (srv_conf->flags & SRVFLAG_CORS_STATIC) { + struct http_descriptor *resp = clt->clt_descresp; + kv_add(&resp->http_headers, + "Access-Control-Allow-Origin", srv_conf->cors_static); + } + /* Now open the file, should be readable or we have another problem */ if (fd == -1) { if ((fd = open(path, O_RDONLY)) == -1) -- David Rinehart