diff --git a/fs/rc/rc.go b/fs/rc/rc.go index b09c861c7..5159aea2b 100644 --- a/fs/rc/rc.go +++ b/fs/rc/rc.go @@ -17,14 +17,15 @@ import ( // Options contains options for the remote control server type Options struct { - HTTPOptions httplib.Options - Enabled bool // set to enable the server - Serve bool // set to serve files from remotes - Files string // set to enable serving files locally - NoAuth bool // set to disable auth checks on AuthRequired methods - WebUI bool // set to launch the web ui - WebGUIUpdate bool // set to download new update - WebGUIFetchURL string // set the default url for fetching webgui + HTTPOptions httplib.Options + Enabled bool // set to enable the server + Serve bool // set to serve files from remotes + Files string // set to enable serving files locally + NoAuth bool // set to disable auth checks on AuthRequired methods + WebUI bool // set to launch the web ui + WebGUIUpdate bool // set to download new update + WebGUIFetchURL string // set the default url for fetching webgui + AccessControlAllowOrigin string // set the access control for CORS configuration } diff --git a/fs/rc/rcflags/rcflags.go b/fs/rc/rcflags/rcflags.go index 97505055d..1a996e04d 100644 --- a/fs/rc/rcflags/rcflags.go +++ b/fs/rc/rcflags/rcflags.go @@ -23,5 +23,6 @@ func AddFlags(flagSet *pflag.FlagSet) { flags.BoolVarP(flagSet, &Opt.WebUI, "rc-web-gui", "", false, "Launch WebGUI on localhost") flags.BoolVarP(flagSet, &Opt.WebGUIUpdate, "rc-web-gui-update", "", false, "Update / Force update to latest version of web gui") flags.StringVarP(flagSet, &Opt.WebGUIFetchURL, "rc-web-fetch-url", "", "https://api.github.com/repos/rclone/rclone-webui-react/releases/latest", "URL to fetch the releases for webgui.") + flags.StringVarP(flagSet, &Opt.AccessControlAllowOrigin, "rc-allow-origin", "", "", "Set the allowed origin for CORS.") httpflags.AddFlagsPrefix(flagSet, "rc-", &Opt.HTTPOptions) } diff --git a/fs/rc/rcserver/rcserver.go b/fs/rc/rcserver/rcserver.go index 65fc9bc82..180942d54 100644 --- a/fs/rc/rcserver/rcserver.go +++ b/fs/rc/rcserver/rcserver.go @@ -13,10 +13,6 @@ import ( "sort" "strings" - "github.com/skratchdot/open-golang/open" - - "github.com/rclone/rclone/fs/rc/jobs" - "github.com/pkg/errors" "github.com/rclone/rclone/cmd/serve/httplib" "github.com/rclone/rclone/cmd/serve/httplib/serve" @@ -25,6 +21,9 @@ import ( "github.com/rclone/rclone/fs/config" "github.com/rclone/rclone/fs/list" "github.com/rclone/rclone/fs/rc" + "github.com/rclone/rclone/fs/rc/jobs" + "github.com/rclone/rclone/fs/rc/rcflags" + "github.com/skratchdot/open-golang/open" ) // Start the remote control server if configured @@ -130,7 +129,15 @@ func writeError(path string, in rc.Params, w http.ResponseWriter, err error, sta func (s *Server) handler(w http.ResponseWriter, r *http.Request) { path := strings.TrimLeft(r.URL.Path, "/") - w.Header().Add("Access-Control-Allow-Origin", "*") + allowOrigin := rcflags.Opt.AccessControlAllowOrigin + if allowOrigin != "" { + if allowOrigin == "*" { + fs.Logf(nil, "Warning: Allow origin set to *. This can cause serious security problems.") + } + w.Header().Add("Access-Control-Allow-Origin", allowOrigin) + } else { + w.Header().Add("Access-Control-Allow-Origin", s.URL()) + } // echo back access control headers client needs //reqAccessHeaders := r.Header.Get("Access-Control-Request-Headers") diff --git a/fs/rc/rcserver/rcserver_test.go b/fs/rc/rcserver/rcserver_test.go index 648247104..626ca7849 100644 --- a/fs/rc/rcserver/rcserver_test.go +++ b/fs/rc/rcserver/rcserver_test.go @@ -458,7 +458,7 @@ func TestMethods(t *testing.T) { Status: http.StatusOK, Expected: "", Headers: map[string]string{ - "Access-Control-Allow-Origin": "*", + "Access-Control-Allow-Origin": "http://localhost:5572/", "Access-Control-Request-Method": "POST, OPTIONS, GET, HEAD", "Access-Control-Allow-Headers": "authorization, Content-Type", },