diff --git a/Changelog.md b/Changelog.md index 618f5f5..530fe23 100644 --- a/Changelog.md +++ b/Changelog.md @@ -9,10 +9,16 @@ This is the changelog for the air quality web interface and its associated HTTP - `[Code]` refers to internal changes to the code that have no direct impact on the web interface or the HTTP API, but are significant enough to warrant note. - `[Docs]` refers to changes to the [documentation](https://aq.connectedhumber.org/__nightdocs/00-Welcome.html). + +## v0.13.6 + - [Code] Add option to allow cross-origin-request sharing HTTP API requests + + ## v0.13.5 - Disable the tour, as it's now causing a crash on startup :-( - [API] Don't return devices in the device lists that have the `visible` flag in the database set to `0` + ## v0.13.4 - [API] Fix crash in `list-devices-near` action diff --git a/api.php b/api.php index 7806037..c4ba6cc 100644 --- a/api.php +++ b/api.php @@ -78,6 +78,10 @@ if(!class_exists($handler_name)) { exit("Error: No action with the name '$action' could be found."); } +if($settings->get("http.cors") !== false) { + header("access-control-allow-origin: " . $settings->get("http.cors")); +} + $handler = $di_container->get($handler_name); $perfcounter->start("handle"); diff --git a/settings.default.toml b/settings.default.toml index 44b5d73..139277d 100644 --- a/settings.default.toml +++ b/settings.default.toml @@ -7,6 +7,19 @@ # The operating mode. Can be either "development", or "production" (default; activates a number of optimisations which might make development harder, such as 3rd-party library caches) mode = "production" +[http] +# HTTP related settings + +# Whether to enable cross-origin-request-sharing. This allows HTTP API queries +# from origins other than that of the origin of the HTTP API itself. +# For example, if the HTTP API is running on sensors.connectedhumber.org, then +# Without CORS a client-side Javascript program running on foo.example.com would +# not be able to request data. +# Possible values: false (disabled), a string (an origin to allow; set via the access-control-allow-origin header), or the special string "*" (allows all origins) +cors = false +# cors = "subdomain.example.com" +# cors = "*" + [database] # Settings that control the database, or the connection to it