closes #3899

src/middleware/index.js

@@ -71,18 +71,7 @@ module.exports = function(app) {
 		saveUninitialized: true
 	}));
 
-	app.use(function (req, res, next) {
-		res.setHeader('X-Powered-By', 'NodeBB');
-
-		if (meta.config['allow-from-uri']) {
-			res.setHeader('X-Frame-Options', 'ALLOW-FROM ' + meta.config['allow-from-uri']);
-		} else {
-			res.setHeader('X-Frame-Options', 'SAMEORIGIN');
-		}
-
-		next();
-	});
-
+	app.use(middleware.addHeaders);
 	app.use(middleware.processRender);
 	auth.initialize(app, middleware);
 

src/middleware/middleware.js

@@ -7,6 +7,7 @@ var app,
 	async = require('async'),
 	path = require('path'),
 	csrf = require('csurf'),
+	_ = require('underscore'),
 
 	validator = require('validator'),
 	nconf = require('nconf'),
@@ -64,6 +65,30 @@ middleware.pageView = function(req, res, next) {
 	}
 };
 
+middleware.addHeaders = function (req, res, next) {
+	var defaults = {
+		'X-Powered-By': 'NodeBB',
+		'X-Frame-Options': 'SAMEORIGIN',
+		'Access-Control-Allow-Origin': 'null'	// yes, string null.
+	};
+	var headers = {
+		'X-Powered-By': meta.config['powered-by'],
+		'X-Frame-Options': meta.config['allow-from-uri'] ? 'ALLOW-FROM ' + meta.config['allow-from-uri'] : undefined,
+		'Access-Control-Allow-Origin': meta.config['access-control-allow-origin'],
+		'Access-Control-Allow-Methods': meta.config['access-control-allow-methods'],
+		'Access-Control-Allow-Headers': meta.config['access-control-allow-headers']
+	};
+
+	_.defaults(headers, defaults);
+	headers = _.pick(headers, Boolean);		// Remove falsy headers
+
+	for(var key in headers) {
+		res.setHeader(key, headers[key]);
+	}
+
+	next();
+};
+
 middleware.pluginHooks = function(req, res, next) {
 	async.each(plugins.loadedHooks['filter:router.page'] || [], function(hookObj, next) {
 		hookObj.method(req, res, next);