Add CORS headers to error pages (#2380)

2020-11-12 14:34:16 +01:00 · 2020-11-12 14:34:16 +01:00 · 0263865faa
parent dcfd2a8968
commit 0263865faa
3 changed files with 38 additions and 9 deletions
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI.pm
@ -191,6 +191,8 @@ sub sendError {
            : $code == 400 ? 'Bad request'
            :                'Error'
        );
+
+        # TODO: this should probably use a template instead
        my $s = "<html><head><title>$title</title>
 <style>
 body{background:#000;color:#fff;padding:10px 50px;font-family:sans-serif;}a{text-decoration:none;color:#fff;}h1{text-align:center;}
@ -202,18 +204,25 @@ body{background:#000;color:#fff;padding:10px 50px;font-family:sans-serif;}a{text
 <center><a href=\"https://lemonldap-ng.org\">LemonLDAP::NG</a></center>
 </body>
 </html>";
-        return [
-            $code,
-            [
-                'Content-Type'   => 'text/html; charset=utf-8',
-                'Content-Length' => length($s),
-                $req->spliceHdrs,
-            ],
-            [$s]
-        ];
+        return $self->sendRawHtml( $req, $s, code => $code );
    }
 }

+sub sendRawHtml {
+    my ( $self, $req, $s, %args ) = @_;
+    my $code    = $args{code}    || 200;
+    my $headers = $args{headers} || [ $req->spliceHdrs ];
+    return [
+        $code,
+        [
+            'Content-Type'   => 'text/html; charset=utf-8',
+            'Content-Length' => length($s),
+            @{$headers},
+        ],
+        [$s]
+    ];
+}
+
 sub abort {
    my ( $self, $err ) = @_;
    eval { $self->logger->error($err) };
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
@ -1140,6 +1140,18 @@ sub sendJSONresponse {
    return $res;
 }

+sub sendRawHtml {
+    my ($self) = $_[0];
+    my $res = Lemonldap::NG::Common::PSGI::sendRawHtml(@_);
+    if ( $self->conf->{corsEnabled} ) {
+        my @cors = split /;/, $self->cors;
+        push @{ $res->[1] }, @cors;
+        $self->logger->debug('Apply following CORS policy :');
+        $self->logger->debug(" $_") for @cors;
+    }
+    return $res;
+}
+
 # Temlate loader
 sub loadTemplate {
    my ( $self, $req, $name, %prm ) = @_;
--- a/lemonldap-ng-portal/t/01-CSP-and-CORS-headers.t
+++ b/lemonldap-ng-portal/t/01-CSP-and-CORS-headers.t
@ -15,6 +15,8 @@ my $client = LLNG::Manager::Test->new( {
            cspFormAction     => '*',
            cspFrameAncestors => 'test.example.com',
            customToTrace     => 'mail',
+            checkStateSecret  => 'x',
+            checkState        => 1,
        }
    }
 );
@ -38,6 +40,12 @@ ok(
 count(1);
 expectReject($res);

+# sendError (#2380)
+ok( $res = $client->_get( '/checkstate', accept => 'text/html' ),
+    'Get error page' );
+count(1);
+checkCorsPolicy($res);
+
 ok( $res = $client->_options( '/', accept => 'text/html' ), 'Get Menu' );
 count(1);