more robust CORS behaviour
CORS headers are designed to add security to AJAX requests among different domains (l1ce.cms:443 and l1ce.cms:3001 are different domains).
It is mainly done by setting access-control-allow-origin, which specifies which other domains are allowed to make requests to the local domain.
And what does socket.io do? They set access-control-allow-origin: *
. Like so many idiots do these days.
This completely defeats the point of CORS and I will personally sabotage anyone doing stuff this way.
The NGINX config removes this header and replaces it with the proper value. you know, the hostname.
Unfortunately. Some browsers (guess which one) sometimes don't set the origin
header to make CORS work despite sending AJAX requests to another domain.
This is, again, completely against how things should go. But it isn't considered a big deal because everyone sets access-control-allow-origin
to *
anyway.
This pisses me off.
Therefore, this pull requests hardens the NGINX configuration to account for this.
Thank you for your attention.