mod_http (and dependent modules): Make CORS opt-in by default (fixes #1731)
The same-origin policy enforced by browsers is a security measure that should
only be turned off when it is safe to do so. It is safe to do so in Prosody's
default modules, but people may load third-party modules that are unsafe.
Therefore we have flipped the default, so that modules must explicitly opt in
to having CORS headers added on their requests.
rules:
- id: log-variable-fmtstring
patterns:
- pattern: log("...", $A)
- pattern-not: log("...", "...")
message: Variable passed as format string to logging
languages: [lua]
severity: ERROR
- id: module-log-variable-fmtstring
patterns:
- pattern: module:log("...", $A)
- pattern-not: module:log("...", "...")
message: Variable passed as format string to logging
languages: [lua]
severity: ERROR
- id: module-getopt-string-default
patterns:
- pattern: module:get_option_string("...", $A)
- pattern-not: module:get_option_string("...", "...")
- pattern-not: module:get_option_string("...", host)
- pattern-not: module:get_option_string("...", module.host)
message: Non-string default from :get_option_string
severity: ERROR
languages: [lua]