diff --git a/config/global.ini.php b/config/global.ini.php
index 5d6d138f9bcd4fcaae6dc94dd3766d35548e5710..564f2e0900f468ffb85f772f1f562f85868b0b81 100644
--- a/config/global.ini.php
+++ b/config/global.ini.php
@@ -385,12 +385,14 @@ enable_trusted_host_check = 1
;trusted_hosts[] = example.com
;trusted_hosts[] = stats.example.com
-; List of Cross-origin resource sharing hosts (eg domain or subdomain names) when generating absolute URLs.
+; List of Cross-origin resource sharing domains (eg domain or subdomain names) when generating absolute URLs.
; Described here: http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
;
; Examples:
-;cors_hosts[] = example.com
-;cors_hosts[] = stats.example.com
+;cors_domains[] = http://example.com
+;cors_domains[] = http://stats.example.com
+; OR allow for all domains
+;cors_domains[] = *
; If you use this Piwik instance over multiple hostnames, Piwik will need to know
; a unique instance_id for this instance, so that Piwik can serve the right custom logo and tmp/* assets,
diff --git a/core/API/CORSHandler.php b/core/API/CORSHandler.php
new file mode 100644
index 0000000000000000000000000000000000000000..721d5a0ed36c7993b811ca4c01a272346c15d400
--- /dev/null
+++ b/core/API/CORSHandler.php
@@ -0,0 +1,34 @@
+<?php
+/**
+ * Piwik - free/libre analytics platform
+ *
+ * @link http://piwik.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ *
+ */
+namespace Piwik\API;
+
+use Piwik\Url;
+
+class CORSHandler
+{
+ /**
+ * @var array
+ */
+ protected $domains;
+
+ public function __construct()
+ {
+ $this->domains = Url::getCorsHostsFromConfig();
+ }
+
+ public function handle()
+ {
+ if (!empty($_SERVER['HTTP_ORIGIN'])) {
+ $origin = $_SERVER['HTTP_ORIGIN'];
+ if (in_array($origin, $this->domains, true)) {
+ header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);
+ }
+ }
+ }
+}
diff --git a/core/API/Request.php b/core/API/Request.php
index 5fb436c2840758ddb69a33a8f256668549047423..d4bdee5d248ac73aff529e598dc420ad247cdd49 100644
--- a/core/API/Request.php
+++ b/core/API/Request.php
@@ -193,6 +193,9 @@ class Request
// create the response
$response = new ResponseBuilder($outputFormat, $this->request);
+ $corsHandler = new CORSHandler();
+ $corsHandler->handle();
+
try {
// read parameters
$moduleMethod = Common::getRequestVar('method', null, 'string', $this->request);
diff --git a/core/Url.php b/core/Url.php
index 968569e526586da9e9094248685211e10185fa3d..269c3ef6d1072cce8a89fb63883c0cc4fa4a49e5 100644
--- a/core/Url.php
+++ b/core/Url.php
@@ -264,7 +264,7 @@ class Url
public static function saveCORSHostnameInConfig($host)
{
- return self::saveHostsnameInConfig($host, 'General', 'cors_hosts');
+ return self::saveHostsnameInConfig($host, 'General', 'cors_domains');
}
protected static function saveHostsnameInConfig($host, $domain, $key)
@@ -570,7 +570,7 @@ class Url
public static function getCorsHostsFromConfig()
{
- return self::getHostsFromConfig('General', 'cors_hosts');
+ return self::getHostsFromConfig('General', 'cors_domains');
}
/**
diff --git a/plugins/API/Controller.php b/plugins/API/Controller.php
index f713bf3203c08cd3d65e4fdd22d98839f2af64db..9a6b3fc5e7b40723faba25e5d5d3d76be8ea5c68 100644
--- a/plugins/API/Controller.php
+++ b/plugins/API/Controller.php
@@ -29,11 +29,6 @@ class Controller extends \Piwik\Plugin\Controller
$_GET['filter_limit'] = Config::getInstance()->General['API_datatable_default_limit'];
}
- $corsHosts = Url::getCorsHostsFromConfig();
- if (!empty($corsHosts)) {
- header('Access-Control-Allow-Origin: ' . implode(',', $corsHosts));
- }
-
$request = new Request('token_auth=' . Common::getRequestVar('token_auth', 'anonymous', 'string'));
return $request->process();
}