Add CORS header to allow any origin.

We don't need CORS protection because we don't use cookies at all
(so a different origin cant exploit cookie saving to steal our
session).

src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java

@@ -20,6 +20,7 @@ import com.google.common.base.Optional;
 import com.yammer.dropwizard.Service;
 import com.yammer.dropwizard.config.Bootstrap;
 import com.yammer.dropwizard.config.Environment;
+import com.yammer.dropwizard.config.FilterBuilder;
 import com.yammer.dropwizard.db.DatabaseConfiguration;
 import com.yammer.dropwizard.jdbi.DBIFactory;
 import com.yammer.dropwizard.migrations.MigrationsBundle;
@@ -62,9 +63,11 @@ import org.whispersystems.textsecuregcm.storage.PendingDeviceRegistrations;
 import org.whispersystems.textsecuregcm.storage.PendingDevicesManager;
 import org.whispersystems.textsecuregcm.storage.StoredMessageManager;
 import org.whispersystems.textsecuregcm.storage.StoredMessages;
+import org.whispersystems.textsecuregcm.util.CORSHeaderFilter;
 import org.whispersystems.textsecuregcm.util.UrlSigner;
 import org.whispersystems.textsecuregcm.workers.DirectoryCommand;
 
+import java.io.IOException;
 import java.security.Security;
 import java.util.concurrent.TimeUnit;
 
@@ -143,6 +146,8 @@ public class WhisperServerService extends Service<WhisperServerConfiguration> {
     environment.addProvider(new IOExceptionMapper());
     environment.addProvider(new RateLimitExceededExceptionMapper());
 
+    environment.addFilter(new CORSHeaderFilter(), "/*");
+
     if (config.getGraphiteConfiguration().isEnabled()) {
       GraphiteReporter.enable(15, TimeUnit.SECONDS,
                               config.getGraphiteConfiguration().getHost(),

src/main/java/org/whispersystems/textsecuregcm/util/CORSHeaderFilter.java

@@ -0,0 +1,41 @@
+/**
+ * Copyright (C) 2014 Open WhisperSystems
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.whispersystems.textsecuregcm.util;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class CORSHeaderFilter implements Filter {
+  @Override
+  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+    if (response instanceof HttpServletResponse) {
+      ((HttpServletResponse) response).addHeader("Access-Control-Allow-Origin", "*");
+      ((HttpServletResponse) response).addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
+      ((HttpServletResponse) response).addHeader("Access-Control-Allow-Headers", "Authorization, Content-type");
+    }
+    chain.doFilter(request, response);
+  }
+
+  @Override public void init(FilterConfig filterConfig) throws ServletException { }
+  @Override public void destroy() { }
+}