From 909829f58b7b92bd6cf6c5ad65080e3b48a7d4e2 Mon Sep 17 00:00:00 2001
From: arekkas <aeneas@ory.am>
Date: Tue, 21 Aug 2018 11:56:47 +0200
Subject: [PATCH] cmd: Disable CORS by default

This patch introduces environment variable `CORS_ENABLED` which toggles CORS.

Closes #996

Signed-off-by: arekkas <aeneas@ory.am>
---
 UPGRADE.md            | 7 +++++++
 cmd/serve.go          | 3 +++
 cmd/server/handler.go | 8 +++++++-
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/UPGRADE.md b/UPGRADE.md
index 519ee826560..281d38c35d9 100644
--- a/UPGRADE.md
+++ b/UPGRADE.md
@@ -99,6 +99,13 @@ before finalizing the upgrade process.
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
+## 1.0.0-rc.1
+
+### CORS is disabled by default
+
+A new environment variable `CORS_ENABLED` was introduced. It sets whether CORS is enabled ("true") or not ("false")".
+Default is disabled.
+
 ## 1.0.0-beta.8
 
 ### Schema Changes
diff --git a/cmd/serve.go b/cmd/serve.go
index 3e12c835b58..e4c9e1f372f 100644
--- a/cmd/serve.go
+++ b/cmd/serve.go
@@ -182,6 +182,9 @@ HTTPS CONTROLS
 
 CORS CONTROLS
 ==============
+- CORS_ENABLED: Switch CORS support on (true) or off (false). Default is off (false).
+	Example: CORS_ENABLED=true
+
 - CORS_ALLOWED_ORIGINS: A list of origins (comma separated values) a cross-domain request can be executed from.
 	If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*)
 	to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality.
diff --git a/cmd/server/handler.go b/cmd/server/handler.go
index 5c09f7c6938..ec4f49ca529 100644
--- a/cmd/server/handler.go
+++ b/cmd/server/handler.go
@@ -25,6 +25,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"os"
 	"strings"
 	"sync"
 
@@ -57,7 +58,12 @@ func enhanceRouter(c *config.Config, cmd *cobra.Command, serverHandler *Handler,
 	}
 	n.UseFunc(serverHandler.rejectInsecureRequests)
 	n.UseHandler(router)
-	return context.ClearHandler(cors.New(corsx.ParseOptions()).Handler(n))
+	if os.Getenv("CORS_ENABLED") == "true" {
+		c.GetLogger().Info("Enabled CORS")
+		return context.ClearHandler(cors.New(corsx.ParseOptions()).Handler(n))
+	} else {
+		return context.ClearHandler(n)
+	}
 }
 
 func RunServeAdmin(c *config.Config) func(cmd *cobra.Command, args []string) {