diff --git a/puppet/zulip/files/nginx/zulip-include-common/tornado_cors_headers b/puppet/zulip/files/nginx/zulip-include-common/tornado_cors_headers new file mode 100644 index 0000000000..bff13dd2d1 --- /dev/null +++ b/puppet/zulip/files/nginx/zulip-include-common/tornado_cors_headers @@ -0,0 +1,4 @@ +include /etc/nginx/zulip-include/headers; +add_header Access-Control-Allow-Origin * always; +add_header Access-Control-Allow-Headers Authorization always; +add_header Access-Control-Allow-Methods 'OPTIONS, GET, DELETE' always; diff --git a/puppet/zulip/files/nginx/zulip-include-frontend/app b/puppet/zulip/files/nginx/zulip-include-frontend/app index 29755b3dcc..514d12c018 100644 --- a/puppet/zulip/files/nginx/zulip-include-frontend/app +++ b/puppet/zulip/files/nginx/zulip-include-frontend/app @@ -28,18 +28,42 @@ location /static/ { # Send longpoll requests to Tornado location /json/events { + if ($request_method = 'OPTIONS') { + # add_header does not propagate into/out of blocks, so this + # include cannot be factored out + include /etc/nginx/zulip-include/headers; + add_header Allow 'OPTIONS, GET, DELETE' always; + return 204; + } + + if ($request_method !~ ^(GET|DELETE)$ ) { + # add_header does not propagate into/out of blocks, so this + # include cannot be factored out + include /etc/nginx/zulip-include/headers; + add_header Allow 'OPTIONS, GET, DELETE' always; + return 405; + } + proxy_pass $tornado_server; include /etc/nginx/zulip-include/proxy_longpolling; } # Send longpoll requests to Tornado location /api/v1/events { - include /etc/nginx/zulip-include/api_headers; if ($request_method = 'OPTIONS') { + include /etc/nginx/zulip-include/tornado_cors_headers; + add_header Allow 'OPTIONS, GET, DELETE' always; return 204; } + if ($request_method !~ ^(GET|DELETE)$ ) { + include /etc/nginx/zulip-include/headers; + add_header Allow 'OPTIONS, GET, DELETE' always; + return 405; + } + + include /etc/nginx/zulip-include/tornado_cors_headers; proxy_pass $tornado_server; include /etc/nginx/zulip-include/proxy_longpolling; }