Fix CORS: make mitmproxy intercept OPTIONS

Mattermost doesn't support OPTIONS so we have to handle it in our proxy.
2020-03-25 22:10:19 +01:00 · 2020-03-25 22:10:19 +01:00 · 87808a3ffe
parent 71290cdc02
commit 87808a3ffe
3 changed files with 48 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,5 @@
+__pycache__/
+.mypy_cache/
+*.pyc
+*.bak
+*~
--- a/etc/mitm_cors.py
+++ b/etc/mitm_cors.py
@ -0,0 +1,29 @@
+# Script for mitmproxy, used in ../rundev.sh. Not meant to be run directly.
+
+from mitmproxy import http
+
+# More information about CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
+
+ALLOW_ORIGIN = "http://localhost:8000"
+ALLOW_HEADERS  = "Authorization, *" # Which headers the browser may send
+EXPOSE_HEADERS = "Authorization, *" # Which headers the browser may expose to scripts
+HIDE_ORIGIN = True
+
+
+def response(flow):
+	flow.response.headers["Access-Control-Allow-Origin"] = ALLOW_ORIGIN
+	flow.response.headers["Access-Control-Expose-Headers"] = EXPOSE_HEADERS
+
+def request(flow):
+	# Hijack CORS OPTIONS request
+	if flow.request.method == "OPTIONS":
+		flow.response = http.HTTPResponse.make(200, b"", {
+			"Access-Control-Allow-Origin": ALLOW_ORIGIN,
+			"Access-Control-Allow-Methods": "GET,POST",
+			"Access-Control-Allow-Headers": ALLOW_HEADERS,
+			"Access-Control-Max-Age": "10"
+		})
+
+	# Privacy
+	if HIDE_ORIGIN:
+		flow.request.headers["Origin"] = "null"
--- a/rundev.sh
+++ b/rundev.sh
@ -0,0 +1,14 @@
+#!/bin/bash
+
+MATTERMOST_REMOTE="https://mattermost.zeus.gent"
+
+
+if [[ $MATTERMOST_REMOTE == */ ]]; then
+	echo "MATTERMOST_REMOTE should not end with a slash (it should only the protocol and the domain; no path)" >&2
+	exit 1
+fi
+
+cd "$(dirname "$0")"
+
+python3 -m "http.server" >/dev/null 2>&1 &
+mitmproxy -s etc/mitm_cors.py -m "reverse:$MATTERMOST_REMOTE"