Add option to set CORS exposed headers (#16258)

Co-authored-by: Vaclav Sezima <[email protected]> Co-authored-by: Mike Alhayek <[email protected]> Co-authored-by: Hisham Bin Ateya <[email protected]>
OrchardCMS · Jun 7, 2024 · da73489 · da73489
1 parent 07a655b
commit da73489
Show file tree

Hide file tree

Showing 8 changed files with 30 additions and 5 deletions.
diff --git a/src/OrchardCore.Modules/OrchardCore.Cors/Assets/Admin/cors-admin.js b/src/OrchardCore.Modules/OrchardCore.Cors/Assets/Admin/cors-admin.js
@@ -51,7 +51,8 @@ var corsApp = new Vue({
                 allowedHeaders: [],
                 allowAnyHeader: true,
                 allowCredentials: true,
-                isDefaultPolicy: false
+                isDefaultPolicy: false,
+                exposedHeaders: []
             };
         },
         editPolicy: function (policy) {

diff --git a/src/OrchardCore.Modules/OrchardCore.Cors/Controllers/AdminController.cs b/src/OrchardCore.Modules/OrchardCore.Cors/Controllers/AdminController.cs
@@ -68,7 +68,8 @@ public async Task<ActionResult> Index()
                         AllowAnyOrigin = policySetting.AllowAnyOrigin,
                         AllowedOrigins = policySetting.AllowedOrigins,
                         AllowCredentials = policySetting.AllowCredentials,
-                        IsDefaultPolicy = policySetting.IsDefaultPolicy
+                        IsDefaultPolicy = policySetting.IsDefaultPolicy,
+                        ExposedHeaders = policySetting.ExposedHeaders,
                     };
 
                     list.Add(policyViewModel);
@@ -113,7 +114,8 @@ public async Task<ActionResult> IndexPOST()
                     AllowedHeaders = settingViewModel.AllowedHeaders,
                     AllowedMethods = settingViewModel.AllowedMethods,
                     AllowedOrigins = settingViewModel.AllowedOrigins,
-                    IsDefaultPolicy = settingViewModel.IsDefaultPolicy
+                    IsDefaultPolicy = settingViewModel.IsDefaultPolicy,
+                    ExposedHeaders = settingViewModel.ExposedHeaders,
                 });
 
                 if (settingViewModel.AllowAnyOrigin && settingViewModel.AllowCredentials)

diff --git a/src/OrchardCore.Modules/OrchardCore.Cors/Services/CorsOptionsConfiguration.cs b/src/OrchardCore.Modules/OrchardCore.Cors/Services/CorsOptionsConfiguration.cs
@@ -69,6 +69,11 @@ public void Configure(CorsOptions options)
                     {
                         configurePolicy.DisallowCredentials();
                     }
+
+                    if (corsPolicy.ExposedHeaders?.Length > 0)
+                    {
+                        configurePolicy.WithExposedHeaders(corsPolicy.ExposedHeaders);
+                    }
                 });
 
                 if (corsPolicy.IsDefaultPolicy)

diff --git a/src/OrchardCore.Modules/OrchardCore.Cors/Settings/CorsPolicySetting.cs b/src/OrchardCore.Modules/OrchardCore.Cors/Settings/CorsPolicySetting.cs
@@ -19,5 +19,7 @@ public class CorsPolicySetting
         public bool AllowCredentials { get; set; }
 
         public bool IsDefaultPolicy { get; set; }
+
+        public string[] ExposedHeaders { get; set; }
     }
 }
diff --git a/src/OrchardCore.Modules/OrchardCore.Cors/ViewModels/CorsPolicyViewModel.cs b/src/OrchardCore.Modules/OrchardCore.Cors/ViewModels/CorsPolicyViewModel.cs
@@ -19,5 +19,7 @@ public class CorsPolicyViewModel
         public bool AllowCredentials { get; set; }
 
         public bool IsDefaultPolicy { get; set; }
+
+        public string[] ExposedHeaders { get; set; }
     }
 }
diff --git a/src/OrchardCore.Modules/OrchardCore.Cors/Views/Admin/Index.cshtml b/src/OrchardCore.Modules/OrchardCore.Cors/Views/Admin/Index.cshtml
@@ -138,6 +138,18 @@
                 </div>
             </div>
         </div>
+        <div class="card mb-3">
+            <div class="card-body">
+                <h5 class="card-title">@T["Exposed headers"]
+                    <span class="hint dashed">@T["Configure which headers should be exposed."]</span>
+                </h5>
+
+                <div>
+                    <span class="hint">@T["Sets response header 'Access-Control-Expose-Headers'."]</span>
+                    <options-list v-bind:options="policy.exposedHeaders" optionType="@T["Header"]" title="@T["Exposed headers"]" subTitle="" />
+                </div>
+            </div>
+        </div>
         <div class="mb-3">
             <button type="button" class="btn btn-primary" v-on:click="$emit('ok', policy, $event)">@T["Save"]</button>
             <button type="button" class="btn btn-secondary" v-on:click="$emit('back')">@T["Cancel"]</button>

diff --git a/src/OrchardCore.Modules/OrchardCore.Cors/wwwroot/Scripts/cors-admin.js b/src/OrchardCore.Modules/OrchardCore.Cors/wwwroot/Scripts/cors-admin.js
@@ -59,7 +59,8 @@ var corsApp = new Vue({
         allowedHeaders: [],
         allowAnyHeader: true,
         allowCredentials: true,
-        isDefaultPolicy: false
+        isDefaultPolicy: false,
+        exposedHeaders: []
       };
     },
     editPolicy: function editPolicy(policy) {

diff --git a/src/OrchardCore.Modules/OrchardCore.Cors/wwwroot/Scripts/cors-admin.min.js b/src/OrchardCore.Modules/OrchardCore.Cors/wwwroot/Scripts/cors-admin.min.js