From f41e910a3d5d0ff8d596d7b47a5bf0bdeb148212 Mon Sep 17 00:00:00 2001
From: Felix Ableitner <me@nutomic.com>
Date: Fri, 24 Jan 2025 15:51:48 +0100
Subject: [PATCH 1/3] Allow setting multiple values for cors_origin (fixes
 #5198)

---
 config/defaults.hjson                |  5 ++++-
 crates/routes/src/utils/mod.rs       | 27 ++++++++-------------------
 crates/utils/src/settings/structs.rs |  8 ++++----
 3 files changed, 16 insertions(+), 24 deletions(-)

diff --git a/config/defaults.hjson b/config/defaults.hjson
index b5d3b1004d..c9fa29680e 100644
--- a/config/defaults.hjson
+++ b/config/defaults.hjson
@@ -112,5 +112,8 @@
   }
   # Sets a response Access-Control-Allow-Origin CORS header
   # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
-  cors_origin: "lemmy.tld"
+  cors_origin: [
+    "lemmy.tld"
+    /* ... */
+  ]
 }
diff --git a/crates/routes/src/utils/mod.rs b/crates/routes/src/utils/mod.rs
index ccb363df95..632905c902 100644
--- a/crates/routes/src/utils/mod.rs
+++ b/crates/routes/src/utils/mod.rs
@@ -9,30 +9,19 @@ pub fn cors_config(settings: &Settings) -> Cors {
   let self_origin = settings.get_protocol_and_hostname();
   let cors_origin_setting = settings.cors_origin();
 
-  // A default setting for either wildcard, or None
-  let cors_default = Cors::default()
-    .allow_any_origin()
+  let mut cors = Cors::default()
     .allow_any_method()
     .allow_any_header()
     .expose_any_header()
     .max_age(3600);
 
-  match (cors_origin_setting.clone(), cfg!(debug_assertions)) {
-    (Some(origin), false) => {
-      // Need to call send_wildcard() explicitly, passing this into allowed_origin() results in
-      // error
-      if origin == "*" {
-        cors_default
-      } else {
-        Cors::default()
-          .allowed_origin(&origin)
-          .allowed_origin(&self_origin)
-          .allow_any_method()
-          .allow_any_header()
-          .expose_any_header()
-          .max_age(3600)
-      }
+  if cfg!(debug_assertions) || cors_origin_setting.contains(&"*".to_string()) {
+    cors = cors.allow_any_origin();
+  } else {
+    cors = cors.allowed_origin(&self_origin);
+    for c in cors_origin_setting {
+      cors = cors.allowed_origin(&c);
     }
-    _ => cors_default,
   }
+  cors
 }
diff --git a/crates/utils/src/settings/structs.rs b/crates/utils/src/settings/structs.rs
index effd68a640..bcd88deb4a 100644
--- a/crates/utils/src/settings/structs.rs
+++ b/crates/utils/src/settings/structs.rs
@@ -47,14 +47,14 @@ pub struct Settings {
   /// Sets a response Access-Control-Allow-Origin CORS header
   /// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
   #[doku(example = "lemmy.tld")]
-  cors_origin: Option<String>,
+  cors_origin: Vec<String>,
 }
 
 impl Settings {
-  pub fn cors_origin(&self) -> Option<String> {
+  pub fn cors_origin(&self) -> Vec<String> {
     env::var("LEMMY_CORS_ORIGIN")
-      .ok()
-      .or(self.cors_origin.clone())
+      .ok().map(|e| e.split(',').map(ToString::to_string).collect())
+      .unwrap_or(self.cors_origin.clone())
   }
 }
 

From b26f0abe77b166dd36deeaf1bda49f47815e4be6 Mon Sep 17 00:00:00 2001
From: Felix Ableitner <me@nutomic.com>
Date: Fri, 24 Jan 2025 16:03:16 +0100
Subject: [PATCH 2/3] fmt

---
 crates/utils/src/settings/structs.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/crates/utils/src/settings/structs.rs b/crates/utils/src/settings/structs.rs
index bcd88deb4a..1a3e4ae210 100644
--- a/crates/utils/src/settings/structs.rs
+++ b/crates/utils/src/settings/structs.rs
@@ -53,7 +53,8 @@ pub struct Settings {
 impl Settings {
   pub fn cors_origin(&self) -> Vec<String> {
     env::var("LEMMY_CORS_ORIGIN")
-      .ok().map(|e| e.split(',').map(ToString::to_string).collect())
+      .ok()
+      .map(|e| e.split(',').map(ToString::to_string).collect())
       .unwrap_or(self.cors_origin.clone())
   }
 }

From 2b1305cd8f84c47125c6d2b7a78edd6153e646e7 Mon Sep 17 00:00:00 2001
From: Felix Ableitner <me@nutomic.com>
Date: Fri, 24 Jan 2025 16:30:41 +0100
Subject: [PATCH 3/3] mention env var

---
 config/defaults.hjson                | 3 ++-
 crates/utils/src/settings/structs.rs | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/config/defaults.hjson b/config/defaults.hjson
index c9fa29680e..4922d74aad 100644
--- a/config/defaults.hjson
+++ b/config/defaults.hjson
@@ -110,7 +110,8 @@
     bind: "127.0.0.1"
     port: 10002
   }
-  # Sets a response Access-Control-Allow-Origin CORS header
+  # Sets a response Access-Control-Allow-Origin CORS header. Can also be set via environment:
+  # `LEMMY_CORS_ORIGIN=example.org,site.com`
   # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
   cors_origin: [
     "lemmy.tld"
diff --git a/crates/utils/src/settings/structs.rs b/crates/utils/src/settings/structs.rs
index 1a3e4ae210..4577f4e609 100644
--- a/crates/utils/src/settings/structs.rs
+++ b/crates/utils/src/settings/structs.rs
@@ -44,7 +44,8 @@ pub struct Settings {
   // Prometheus configuration.
   #[doku(example = "Some(Default::default())")]
   pub prometheus: Option<PrometheusConfig>,
-  /// Sets a response Access-Control-Allow-Origin CORS header
+  /// Sets a response Access-Control-Allow-Origin CORS header. Can also be set via environment:
+  /// `LEMMY_CORS_ORIGIN=example.org,site.com`
   /// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
   #[doku(example = "lemmy.tld")]
   cors_origin: Vec<String>,