From fa71743f61fa2ddee0dc46dcc3bd315cb26a588b Mon Sep 17 00:00:00 2001
From: Tommaso Lanza <t@theworkers.net>
Date: Sat, 4 Jul 2015 14:25:28 +0100
Subject: [PATCH] Add option for CORS headers

Rebased version of c4b4d04

Bump version

Rebased version of eafb979

Listen to OPTIONS requesut

Rebased version of 0168442
---
 extension.driver.php | 10 ++++++++++
 extension.meta.xml   |  4 ++++
 lib/image.php        | 19 +++++++++++++++++++
 3 files changed, 33 insertions(+)

diff --git a/extension.driver.php b/extension.driver.php
index cbbeecb..faea442 100755
--- a/extension.driver.php
+++ b/extension.driver.php
@@ -434,6 +434,12 @@ public function appendPreferences($context){
 			$label->setValue($input->generate() . ' ' . __('Prevent ISP proxy transformation'));
 			$group->appendChild($label);
 
+			// text input to allow external request origins
+			$label = Widget::Label(__('Add Cross-Origin Header'));
+			$input = Widget::Input('settings[image][allow_origin]', Symphony::Configuration()->get('allow_origin', 'image'));
+			$label->appendChild($input);
+			$group->appendChild($label);
+
 			// textarea for trusted sites
 			$label = Widget::Label(__('Trusted Sites'));
 			$label->appendChild(Widget::Textarea('jit_image_manipulation[trusted_external_sites]', 5, 50, $this->trusted()));
@@ -459,6 +465,10 @@ public function __SavePreferences($context){
 				$context['settings']['image']['disable_proxy_transform'] = 'no';
 			}
 
+			if (!isset($context['settings']['image']['allow_origin'])) {
+				$context['settings']['image']['allow_origin'] = '"null"';
+			}
+
 			// save trusted sites
 			$trusted_saved = $this->saveTrusted(stripslashes($_POST['jit_image_manipulation']['trusted_external_sites']));
 			// there were errors saving the trusted files
diff --git a/extension.meta.xml b/extension.meta.xml
index e0cf073..4e2e34b 100644
--- a/extension.meta.xml
+++ b/extension.meta.xml
@@ -16,6 +16,10 @@
 		</author>
 	</authors>
 	<releases>
+		<release version="1.45" date="2016-03-21" min="2.6.0" max="2.x.x">
+			- Add CORS header support (@tmslnz)
+			- Added 'max-age' hidden configuration
+		</release>
 		<release version="1.44" date="2016-01-12" min="2.6.0" max="2.6.x">
 			- Fix when no bytes are written but everything worked (#116)
 		</release>
diff --git a/lib/image.php b/lib/image.php
index 5e2537e..65521bd 100755
--- a/lib/image.php
+++ b/lib/image.php
@@ -267,6 +267,25 @@ function __errorHandler($errno=NULL, $errstr, $errfile=NULL, $errline=NULL, $err
 		$etag = NULL;
 	}
 
+	// Allow CORS
+	// respond to preflights
+	if ($settings['image']['allow_origin'] !== null) {
+		if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
+			// return only the headers and not the content
+			// only allow CORS if we're doing a GET - i.e. no sending for now.
+			if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']) && $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'] == 'GET') {
+				header('Access-Control-Allow-Origin: *');
+				header('Access-Control-Allow-Headers: X-Requested-With');
+			}
+			exit;
+		} else {
+			header('Origin: ' . $settings['image']['allow_origin']);
+			header('Access-Control-Allow-Origin: ' . $settings['image']['allow_origin']);
+			header('Access-Control-Allow-Methods: GET');
+			header('Access-Control-Max-Age: 3000');
+		}
+	}
+
 	// Check to see if the requested image needs to be generated or if a 304
 	// can just be returned to the browser to use it's cached version.
 	if(CACHING === true && (isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) || isset($_SERVER['HTTP_IF_NONE_MATCH']))){