Add default API CORS HTTP Headers (#6659)

* Add default API CORS HTTP Headers To allow interacting with our APIs from a JavaScript application. So far limited to the APIs: Greader, User queries Fix https://github.com/FreshRSS/FreshRSS/discussions/6654#discussioncomment-10131144 * Early abort for OPTIONS requests * Move a bit OPTIONS test * No content! * More cleaning
2026-04-16 04:17:12 -04:00 · 2024-07-28 14:19:40 +02:00
parent 5267db88ab
commit 47a3e15edc
2 changed files with 23 additions and 0 deletions
--- a/p/api/greader.php
+++ b/p/api/greader.php
@@ -112,6 +112,12 @@ function debugInfo(): string {

 final class GReaderAPI {

+	/** @return never */
+	private static function noContent() {
+		header('HTTP/1.1 204 No Content');
+		exit();
+	}
+
 	/** @return never */
 	private static function badRequest() {
 		Minz_Log::warning(__METHOD__, API_LOG);
@@ -987,6 +993,14 @@ final class GReaderAPI {
 	public static function parse() {
 		global $ORIGINAL_INPUT;

+		header('Access-Control-Allow-Headers: Authorization');
+		header('Access-Control-Allow-Methods: GET, POST');
+		header('Access-Control-Allow-Origin: *');
+		header('Access-Control-Max-Age: 600');
+		if (($_SERVER['REQUEST_METHOD'] ?? '') === 'OPTIONS') {
+			self::noContent();
+		}
+
 		$pathInfo = '';
 		if (empty($_SERVER['PATH_INFO'])) {
 			if (!empty($_SERVER['ORIG_PATH_INFO'])) {
--- a/p/api/query.php
+++ b/p/api/query.php
@@ -159,6 +159,15 @@ if ($query->getName() != '') {
 }
 FreshRSS_Context::systemConf()->allow_anonymous = true;

+header('Access-Control-Allow-Methods: GET');
+header('Access-Control-Allow-Origin: *');
+header('Access-Control-Max-Age: 600');
+header('Cache-Control: public, max-age=60');
+if (($_SERVER['REQUEST_METHOD'] ?? '') === 'OPTIONS') {
+	header('HTTP/1.1 204 No Content');
+	exit();
+}
+
 if (in_array($format, ['rss', 'atom'], true)) {
 	header('Content-Type: application/rss+xml; charset=utf-8');
 	$view->_layout(null);