From a0803765faa4ea0b407bbeae7c36cc2a87a7db43 Mon Sep 17 00:00:00 2001
From: Prinzhorn <alex@nder-prinzhorn.de>
Date: Fri, 20 Nov 2015 11:35:05 +0100
Subject: [PATCH 1/3] added tests for cors

---
 test/apps/cors/cors.txt |   0
 test/cors.js            | 105 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 105 insertions(+)
 create mode 100644 test/apps/cors/cors.txt
 create mode 100644 test/cors.js

diff --git a/test/apps/cors/cors.txt b/test/apps/cors/cors.txt
new file mode 100644
index 00000000..e69de29b
diff --git a/test/cors.js b/test/cors.js
new file mode 100644
index 00000000..53a9d9c0
--- /dev/null
+++ b/test/cors.js
@@ -0,0 +1,105 @@
+var should      = require("should")
+var request     = require('request')
+var path        = require("path")
+var harp        = require("../")
+
+describe("cors", function(){
+
+  describe("no-cors", function(){
+    var projectPath = path.join(__dirname, "apps/cors")
+    var port        = 8120
+
+    before(function(done){
+      harp.server(projectPath, { port: port }, done);
+    })
+
+    it("should not allow access at all", function(done){
+      request('http://localhost:'+ port +'/cors.txt', function (e, r, b) {
+        r.statusCode.should.eql(200)
+        r.headers.should.not.have.property("access-control-allow-origin")
+        done()
+      })
+    })
+  })
+
+  describe("wildcard", function(){
+    var projectPath = path.join(__dirname, "apps/cors")
+    var port        = 8121
+    var cors        = true
+
+    before(function(done){
+      harp.server(projectPath, { port: port, cors: cors }, done);
+    })
+
+    it("should allow access from every origin", function(done){
+      var options = {
+        url: 'http://localhost:'+ port +'/cors.txt',
+        headers: {
+          Origin: 'http://some.random.origin'
+        }
+      }
+
+      request(options, function (e, r, b) {
+        r.statusCode.should.eql(200)
+        r.headers.should.have.property("access-control-allow-origin", "http://some.random.origin")
+        done()
+      })
+    })
+  })
+
+  describe("specific-domains", function(){
+    var projectPath = path.join(__dirname, "apps/cors")
+    var port        = 8122
+    var cors        = ["http://first.allowed.origin", "http://second.allowed.origin"]
+
+    before(function(done){
+      harp.server(projectPath, { port: port, cors: cors }, done);
+    })
+
+    it("should allow access from origin http://first.allowed.origin", function(done){
+      var options = {
+        url: 'http://localhost:'+ port +'/cors.txt',
+        headers: {
+          Origin: 'http://first.allowed.origin'
+        }
+      }
+
+      request(options, function (e, r, b) {
+        r.statusCode.should.eql(200)
+        r.headers.should.have.property("access-control-allow-origin", "http://first.allowed.origin")
+        done()
+      })
+    })
+
+    it("should allow access from origin http://second.allowed.origin", function(done){
+      var options = {
+        url: 'http://localhost:'+ port +'/cors.txt',
+        headers: {
+          Origin: 'http://second.allowed.origin'
+        }
+      }
+
+      request(options, function (e, r, b) {
+        r.statusCode.should.eql(200)
+        r.headers.should.have.property("access-control-allow-origin", "http://second.allowed.origin")
+        done()
+      })
+    })
+
+    it("should prevent access from http://evil.origin", function(done){
+      var options = {
+        url: 'http://localhost:'+ port +'/cors.txt',
+        headers: {
+          Origin: 'http://evil.origin'
+        }
+      }
+
+      request(options, function (e, r, b) {
+        r.statusCode.should.eql(200)
+        r.headers.should.not.have.property("access-control-allow-origin")
+        done()
+      })
+    })
+  })
+
+})

From 0815f28d41c70e5f38cac4b52231dd3bd72d6ad1 Mon Sep 17 00:00:00 2001
From: Prinzhorn <alex@nder-prinzhorn.de>
Date: Fri, 20 Nov 2015 11:35:16 +0100
Subject: [PATCH 2/3] implemented cors support

---
 bin/harp     | 15 ++++++++++++++-
 lib/index.js |  6 ++++++
 package.json |  1 +
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/bin/harp b/bin/harp
index 7b629dfb..77ae0791 100755
--- a/bin/harp
+++ b/bin/harp
@@ -78,13 +78,26 @@ program
   .command("server [path]")
   .option("-i, --ip <ip>", "Specify IP to bind to")
   .option("-p, --port <port>", "Specify a port to listen on")
+  .option("-c, --cors <origin(s)>", "Specify a comma separated list of origins or \"*\" for all")
   .usage("starts a Harp server in current directory, or in the specified directory.")
   .description("Start a Harp server in current directory")
   .action(function(path, program){
     var projectPath = nodePath.resolve(process.cwd(), path || "")
     var ip          = program.ip || '0.0.0.0'
     var port        = program.port || 9000
-    harp.server(projectPath, { ip: ip, port: port }, function(){
+    var cors
+
+    if(!program.cors) {
+      cors = false;
+    } else if(program.cors === '*') {
+      cors = true;
+    } else {
+      cors = program.cors.split(',').map(function(domain) {
+        return domain.trim()
+      })
+    }
+
+    harp.server(projectPath, { ip: ip, port: port, cors: cors }, function(){
       var address = ''
       if(ip == '0.0.0.0' || ip == '127.0.0.1') {
         address = 'localhost'
diff --git a/lib/index.js b/lib/index.js
index 860664f4..e5f35b88 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -4,6 +4,7 @@ var terraform   = require('terraform')
 var async       = require('async')
 var connect     = require('connect')
 var mime        = require('mime')
+var cors        = require('cors')
 var helpers     = require('./helpers')
 var middleware  = require('./middleware')
 var pkg         = require('../package.json')
@@ -21,6 +22,11 @@ exports.server = function(dirPath, options, callback){
   app.use(middleware.regProjectFinder(dirPath))
   app.use(middleware.setup)
   app.use(middleware.basicAuth)
+
+  if(options.cors) {
+    app.use(cors({origin: options.cors}))
+  }
+
   app.use(middleware.underscore)
   app.use(middleware.mwl)
   app.use(middleware.static)
diff --git a/package.json b/package.json
index c6567b49..2f604c2e 100644
--- a/package.json
+++ b/package.json
@@ -37,6 +37,7 @@
     "async": "0.2.9",
     "commander": "2.0.0",
     "connect": "2.30.2",
+    "cors": "2.7.1",
     "download-github-repo": "0.1.3",
     "envy-json": "0.2.1",
     "escape-html": "1.0.3",

From 256701ce1054cb2c8b9399cd9599a50fc123257f Mon Sep 17 00:00:00 2001
From: Prinzhorn <alex@nder-prinzhorn.de>
Date: Fri, 20 Nov 2015 11:39:26 +0100
Subject: [PATCH 3/3] make the non-cors test actually test something

---
 test/cors.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/test/cors.js b/test/cors.js
index 53a9d9c0..13a2605e 100644
--- a/test/cors.js
+++ b/test/cors.js
@@ -14,7 +14,14 @@ describe("cors", function(){
     })
 
     it("should not allow access at all", function(done){
-      request('http://localhost:'+ port +'/cors.txt', function (e, r, b) {
+      var options = {
+        url: 'http://localhost:'+ port +'/cors.txt',
+        headers: {
+          Origin: 'http://some.random.origin'
+        }
+      }
+
+      request(options, function (e, r, b) {
         r.statusCode.should.eql(200)
         r.headers.should.not.have.property("access-control-allow-origin")
         done()