From 81751369a135e6ac5afe8ddfd3544860dcc644b4 Mon Sep 17 00:00:00 2001
From: Midgard <midgard@zeus.ugent.be>
Date: Tue, 31 Mar 2020 13:27:08 +0200
Subject: [PATCH] Fix mitmproxy script to deal with multiple origins

---
 etc/mitm_cors.py | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/etc/mitm_cors.py b/etc/mitm_cors.py
index aa783cb..d64c12d 100644
--- a/etc/mitm_cors.py
+++ b/etc/mitm_cors.py
@@ -4,26 +4,24 @@ from mitmproxy import http
 
 # More information about CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
 
-ALLOW_ORIGIN = "http://localhost:8000"
+ALLOWED_ORIGINS = ["http://localhost:8000"]
 ALLOW_HEADERS  = "Authorization, *" # Which headers the browser may send
 EXPOSE_HEADERS = "Authorization, *" # Which headers the browser may expose to scripts
-HIDE_ORIGIN = True
 
 
+def allowed_origin(origin):
+	return origin if origin in ALLOWED_ORIGINS else ALLOWED_ORIGINS[0]
+
 def response(flow):
-	flow.response.headers["Access-Control-Allow-Origin"] = ALLOW_ORIGIN
+	flow.response.headers["Access-Control-Allow-Origin"] = allowed_origin(flow.request.headers["Origin"])
 	flow.response.headers["Access-Control-Expose-Headers"] = EXPOSE_HEADERS
 
 def request(flow):
 	# Hijack CORS OPTIONS request
 	if flow.request.method == "OPTIONS":
 		flow.response = http.HTTPResponse.make(200, b"", {
-			"Access-Control-Allow-Origin": ALLOW_ORIGIN,
+			"Access-Control-Allow-Origin": allowed_origin(flow.request.headers["Origin"]),
 			"Access-Control-Allow-Methods": "GET,POST",
 			"Access-Control-Allow-Headers": ALLOW_HEADERS,
 			"Access-Control-Max-Age": "10"
 		})
-
-	# Privacy
-	if HIDE_ORIGIN:
-		flow.request.headers["Origin"] = "null"