fix: Update allowOrigin function to support dynamic CORS headers

Daniel Neto · Daniel Neto · commit ec29a3d1c6ca · 2026-04-03T11:13:38.000-03:00
diff --git a/objects/functions.php b/objects/functions.php
@@ -2757,11 +2757,29 @@ function object_to_array($obj, $level = 0)
     }
 }
 
-function allowOrigin()
+function allowOrigin($allowAll = false)
 {
     global $global;
     cleanUpAccessControlHeader();
 
+    // Public resources (e.g. VAST/VMAP ad XML) should be readable by any
+    // origin.  Pass $allowAll = true to emit Access-Control-Allow-Origin: *
+    // and skip credential-related headers (browsers reject credentials + *).
+    if ($allowAll) {
+        header('Access-Control-Allow-Origin: *');
+        header('Access-Control-Allow-Private-Network: true');
+        header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, HEAD');
+        header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With, ua-resolution, APISecret, Origin, Accept, Access-Control-Request-Method, Access-Control-Request-Headers');
+        if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
+            header('Access-Control-Max-Age: 86400');
+            header('Access-Control-Allow-Private-Network: true');
+            http_response_code(204);
+            exit;
+        }
+        return;
+    }
+
+
     // Derive the site's own origin from configuration so we can validate
     // inbound Origin headers instead of blindly reflecting them.
     // Reflecting an arbitrary Origin with Access-Control-Allow-Credentials:true
diff --git a/plugin/AD_Server/VAST.php b/plugin/AD_Server/VAST.php
@@ -2,8 +2,7 @@
 header('Content-type: application/xml');
 
 require_once '../../videos/configuration.php';
-allowOrigin();
-header('Access-Control-Allow-Credentials: true');
+allowOrigin(true);
 require_once $global['systemRootPath'] . 'objects/video.php';
 $ad_server = AVideoPlugin::loadPlugin('AD_Server');
 $obj = AVideoPlugin::getObjectData('AD_Server');
@@ -62,7 +61,7 @@
                         <Creative id="Linear_<?php echo $_GET['campaign_has_videos_id']; ?>" sequence="1">
                             <Linear skipoffset="<?php echo $obj->skipoffset->value; ?>">
                                 <Duration><?php echo $video->getDuration(); ?></Duration>
-                                
+
                                 <TrackingEvents>
                                     <Tracking event="start">
                                         <![CDATA[<?php echo $global['webSiteRootURL']; ?>plugin/AD_Server/log.php?videos_id=<?php echo $videos_id; ?>&label=<?php echo AD_Server::AD_STARTED; ?>&ad_mt=[AD_MT]&campaign_has_videos_id=<?php echo $_GET['campaign_has_videos_id']; ?>]]>
@@ -253,4 +252,4 @@
             </Extensions>
         </InLine>
     </Ad>
-</VAST>
+</VAST>
diff --git a/plugin/AD_Server/VMAP.php b/plugin/AD_Server/VMAP.php
@@ -2,8 +2,7 @@
 header('Content-type: application/xml');
 
 require_once '../../videos/configuration.php';
-allowOrigin();
-header('Access-Control-Allow-Credentials: true');
+allowOrigin(true);
 $ad_server = AVideoPlugin::loadPluginIfEnabled('AD_Server');
 if (empty($ad_server)) {
     die("not enabled");
@@ -52,7 +51,7 @@
         $AdTagURI = addQueryStringParameter($AdTagURI, 'vmap_id', $_GET['vmap_id'] ?? '');
         $AdTagURI = addQueryStringParameter($AdTagURI, 'key', $key);
         $AdTagURI = addQueryStringParameter($AdTagURI, 'videos_id', $videos_id);
-        
+
         $AdTagURI = AVideoPlugin::replacePlaceHolders($AdTagURI, $videos_id);
         ?>
         <vmap:AdBreak timeOffset="<?php echo $value['timeOffset']; ?>">
@@ -64,4 +63,4 @@
     }
     ?>
 </vmap:VMAP>
-<!-- AD_Server -->
+<!-- AD_Server -->
