wekan/server/cors.js

Meteor.startup(() => {
  // Optional: Set Permissions-Policy only if explicitly provided to avoid browser warnings about unrecognized features
  if (process.env.PERMISSIONS_POLICY && process.env.PERMISSIONS_POLICY.trim() !== '') {
    WebApp.rawConnectHandlers.use(function(req, res, next) {
      res.setHeader('Permissions-Policy', process.env.PERMISSIONS_POLICY);
      return next();
    });
  }

  if (process.env.CORS) {
    // Listen to incoming HTTP requests, can only be used on the server
    WebApp.rawConnectHandlers.use(function(req, res, next) {
      res.setHeader('Access-Control-Allow-Origin', process.env.CORS);
      return next();
    });
  }
  if (process.env.CORS_ALLOW_HEADERS) {
    WebApp.rawConnectHandlers.use(function(req, res, next) {
      res.setHeader(
        'Access-Control-Allow-Headers',
        process.env.CORS_ALLOW_HEADERS,
      );
      return next();
    });
  }
  if (process.env.CORS_EXPOSE_HEADERS) {
    WebApp.rawConnectHandlers.use(function(req, res, next) {
      res.setHeader(
        'Access-Control-Expose-Headers',
        process.env.CORS_EXPOSE_HEADERS,
      );
      return next();
    });
  }
});
- Add CORS https://enable-cors.org/server_meteor.html - Add missing LDAP and TIMER environment variables. Thanks to xet7 ! Closes wekan/wekan-snap#69 2018-12-03 16:05:24 +02:00			`Meteor.startup(() => {`
Fix SECURITY ISSUE 2: Access to boards of any Orgs/Teams, and avatar permissions. Thanks to Siam Thanat Hack (STH) ! 2025-11-02 09:11:50 +02:00			`// Optional: Set Permissions-Policy only if explicitly provided to avoid browser warnings about unrecognized features`
			`if (process.env.PERMISSIONS_POLICY && process.env.PERMISSIONS_POLICY.trim() !== '') {`
			`WebApp.rawConnectHandlers.use(function(req, res, next) {`
			`res.setHeader('Permissions-Policy', process.env.PERMISSIONS_POLICY);`
			`return next();`
			`});`
			`}`
Some migrations and mobile fixes. Thanks to xet7 ! 2025-10-25 21:09:07 +03:00
Prettier & eslint project style update 2019-06-28 12:52:09 -05:00			`if (process.env.CORS) {`
- Add CORS https://enable-cors.org/server_meteor.html - Add missing LDAP and TIMER environment variables. Thanks to xet7 ! Closes wekan/wekan-snap#69 2018-12-03 16:05:24 +02:00			`// Listen to incoming HTTP requests, can only be used on the server`
			`WebApp.rawConnectHandlers.use(function(req, res, next) {`
			`res.setHeader('Access-Control-Allow-Origin', process.env.CORS);`
			`return next();`
			`});`
			`}`
Prettier & eslint project style update 2019-06-28 12:52:09 -05:00			`if (process.env.CORS_ALLOW_HEADERS) {`
Add support for more CORS headers 2019-05-24 12:39:54 -04:00			`WebApp.rawConnectHandlers.use(function(req, res, next) {`
Prettier & eslint project style update 2019-06-28 12:52:09 -05:00			`res.setHeader(`
			`'Access-Control-Allow-Headers',`
			`process.env.CORS_ALLOW_HEADERS,`
			`);`
Add support for more CORS headers 2019-05-24 12:39:54 -04:00			`return next();`
			`});`
			`}`
Prettier & eslint project style update 2019-06-28 12:52:09 -05:00			`if (process.env.CORS_EXPOSE_HEADERS) {`
Add support for more CORS headers 2019-05-24 12:39:54 -04:00			`WebApp.rawConnectHandlers.use(function(req, res, next) {`
Prettier & eslint project style update 2019-06-28 12:52:09 -05:00			`res.setHeader(`
			`'Access-Control-Expose-Headers',`
			`process.env.CORS_EXPOSE_HEADERS,`
			`);`
Add support for more CORS headers 2019-05-24 12:39:54 -04:00			`return next();`
			`});`
			`}`
- Add CORS https://enable-cors.org/server_meteor.html - Add missing LDAP and TIMER environment variables. Thanks to xet7 ! Closes wekan/wekan-snap#69 2018-12-03 16:05:24 +02:00			`});`