5 files changed, 52 insertions, 16 deletions

diff --git a/Jellyfin.Server/Extensions/ApiServiceCollectionExtensions.cs b/Jellyfin.Server/Extensions/ApiServiceCollectionExtensions.cs
index 517d77412..8dcce93a4 100644
--- a/Jellyfin.Server/Extensions/ApiServiceCollectionExtensions.cs
+++ b/Jellyfin.Server/Extensions/ApiServiceCollectionExtensions.cs
@@ -134,13 +134,17 @@ namespace Jellyfin.Server.Extensions
         /// </summary>
         /// <param name="serviceCollection">The service collection.</param>
         /// <param name="pluginAssemblies">An IEnumerable containing all plugin assemblies with API controllers.</param>
+        /// /// <param name="corsHosts">The configured cors hosts.</param>
         /// <returns>The MVC builder.</returns>
-        public static IMvcBuilder AddJellyfinApi(this IServiceCollection serviceCollection, IEnumerable<Assembly> pluginAssemblies)
+        public static IMvcBuilder AddJellyfinApi(
+            this IServiceCollection serviceCollection,
+            IEnumerable<Assembly> pluginAssemblies,
+            string[] corsHosts)
         {
             IMvcBuilder mvcBuilder = serviceCollection
                 .AddCors(options =>
                 {
-                    options.AddPolicy(ServerCorsPolicy.DefaultPolicyName, ServerCorsPolicy.DefaultPolicy);
+                    options.AddPolicy(ServerCorsPolicy.DefaultPolicyName, new ServerCorsPolicy(corsHosts).Policy);
                 })
                 .Configure<ForwardedHeadersOptions>(options =>
                 {
diff --git a/Jellyfin.Server/Middleware/CorsPolicyProvider.cs b/Jellyfin.Server/Middleware/CorsPolicyProvider.cs
new file mode 100644
index 000000000..7c2b28ed8
--- /dev/null
+++ b/Jellyfin.Server/Middleware/CorsPolicyProvider.cs
@@ -0,0 +1,7 @@
+namespace Jellyfin.Server.Middleware
+{
+    public class CorsPolicyProvider
+    {
+        
+    }
+}
diff --git a/Jellyfin.Server/Models/ServerCorsPolicy.cs b/Jellyfin.Server/Models/ServerCorsPolicy.cs
index ae010c042..3a45db3b4 100644
--- a/Jellyfin.Server/Models/ServerCorsPolicy.cs
+++ b/Jellyfin.Server/Models/ServerCorsPolicy.cs
@@ -1,30 +1,47 @@
-using Microsoft.AspNetCore.Cors.Infrastructure;
+using System;
+using Microsoft.AspNetCore.Cors.Infrastructure;
 
 namespace Jellyfin.Server.Models
 {
     /// <summary>
     /// Server Cors Policy.
     /// </summary>
-    public static class ServerCorsPolicy
+    public class ServerCorsPolicy
     {
         /// <summary>
         /// Default policy name.
         /// </summary>
-        public const string DefaultPolicyName = "DefaultCorsPolicy";
+        public const string DefaultPolicyName = nameof(ServerCorsPolicy);
 
         /// <summary>
-        /// Default Policy. Allow Everything.
+        /// Initializes a new instance of the <see cref="ServerCorsPolicy"/> class.
         /// </summary>
-        public static readonly CorsPolicy DefaultPolicy = new CorsPolicy
+        /// <param name="corsHosts">The configured cors hosts.</param>
+        public ServerCorsPolicy(string[] corsHosts)
         {
-            // Allow any origin
-            Origins = { "*" },
+            var builder = new CorsPolicyBuilder()
+                .AllowAnyMethod()
+                .AllowAnyHeader();
 
-            // Allow any method
-            Methods = { "*" },
+            // No hosts configured or only default configured.
+            if (corsHosts.Length == 0
+                || (corsHosts.Length == 1
+                    && string.Equals(corsHosts[0], "*", StringComparison.Ordinal)))
+            {
+                builder.AllowAnyOrigin();
+            }
+            else
+            {
+                builder.WithOrigins(corsHosts)
+                    .AllowCredentials();
+            }
 
-            // Allow any header
-            Headers = { "*" }
-        };
+            Policy = builder.Build();
+        }
+
+        /// <summary>
+        /// Gets the cors policy.
+        /// </summary>
+        public CorsPolicy Policy { get; }
     }
-}
\ No newline at end of file
+}
diff --git a/Jellyfin.Server/Startup.cs b/Jellyfin.Server/Startup.cs
index 597323b86..5601915a3 100644
--- a/Jellyfin.Server/Startup.cs
+++ b/Jellyfin.Server/Startup.cs
@@ -53,7 +53,9 @@ namespace Jellyfin.Server
             {
                 options.HttpsPort = _serverApplicationHost.HttpsPort;
             });
-            services.AddJellyfinApi(_serverApplicationHost.GetApiPluginAssemblies());
+            services.AddJellyfinApi(
+                _serverApplicationHost.GetApiPluginAssemblies(),
+                _serverConfigurationManager.Configuration.CorsHosts);
 
             services.AddJellyfinApiSwagger();
 
diff --git a/MediaBrowser.Model/Configuration/ServerConfiguration.cs b/MediaBrowser.Model/Configuration/ServerConfiguration.cs
index 97748bd0c..68dc1cc83 100644
--- a/MediaBrowser.Model/Configuration/ServerConfiguration.cs
+++ b/MediaBrowser.Model/Configuration/ServerConfiguration.cs
@@ -264,6 +264,11 @@ namespace MediaBrowser.Model.Configuration
         public long SlowResponseThresholdMs { get; set; }
 
         /// <summary>
+        /// Gets or sets the cors hosts.
+        /// </summary>
+        public string[] CorsHosts { get; set; }
+
+        /// <summary>
         /// Initializes a new instance of the <see cref="ServerConfiguration" /> class.
         /// </summary>
         public ServerConfiguration()
@@ -372,6 +377,7 @@ namespace MediaBrowser.Model.Configuration
 
             EnableSlowResponseWarning = true;
             SlowResponseThresholdMs = 500;
+            CorsHosts = new[] { "*" };
         }
     }