From 9816a5010fb43333b640a0fc10d44b088bdcf874 Mon Sep 17 00:00:00 2001
From: Thaddee Tyl <thaddee.tyl@gmail.com>
Date: Sun, 8 Jan 2017 16:36:32 +0100
Subject: [PATCH] Allow CORS for suggestions on https://shields.io

Issue raised here: https://twitter.com/igoradamenko_/status/818095292146941952
---
 suggest.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/suggest.js b/suggest.js
index 8ad4fc3..4b7b03b 100644
--- a/suggest.js
+++ b/suggest.js
@@ -14,7 +14,14 @@ try {
 //    - badge: shields image URL.
 //    - name: string
 var suggest = function(data, end, ask) {
-  ask.res.setHeader('Access-Control-Allow-Origin', 'http://shields.io');
+  var origin = ask.req.headers['origin'];
+  if (/^https?:\/\/shields\.io$/.test(origin)) {
+    ask.res.setHeader('Access-Control-Allow-Origin', origin);
+  } else {
+    ask.res.setHeader('Access-Control-Allow-Origin', 'null');
+    end({err:'Disallowed'});
+    return;
+  }
   try {
     var url = nodeUrl.parse(data.url);
   } catch(e) { end({err:''+e}); return; }