Skip to content
Permalink
Browse files

fix CORS header fields from being clobbered by error pages. Closes #661

  • Loading branch information...
tj committed May 16, 2018
1 parent c6cb2ca commit 40641b0d533cbaf39141281c258a8a5e0b3383a5
Showing with 11 additions and 15 deletions.
  1. +2 −2 handler/handler.go
  2. +9 −13 internal/util/util.go
@@ -45,6 +45,8 @@ func New(c *up.Config, h http.Handler) (http.Handler, error) {
return nil, errors.Wrap(err, "headers")
}

h = cors.New(c, h)

h, err = errorpages.New(c, h)
if err != nil {
return nil, errors.Wrap(err, "error pages")
@@ -55,8 +57,6 @@ func New(c *up.Config, h http.Handler) (http.Handler, error) {
return nil, errors.Wrap(err, "inject")
}

h = cors.New(c, h)

h, err = redirects.New(c, h)
if err != nil {
return nil, errors.Wrap(err, "redirects")
@@ -28,20 +28,16 @@ import (
"golang.org/x/net/publicsuffix"
)

// Fields retained when clearing.
var keepFields = map[string]bool{
"X-Powered-By": true,
}

// ClearHeader removes all header fields.
// ClearHeader removes all content header fields.
func ClearHeader(h http.Header) {
for k := range h {
if keepFields[k] {
continue
}

h.Del(k)
}
h.Del("Content-Type")
h.Del("Content-Length")
h.Del("Content-Encoding")
h.Del("Content-Range")
h.Del("Content-MD5")
h.Del("Cache-Control")
h.Del("ETag")
h.Del("Last-Modified")
}

// ManagedByUp appends "Managed by Up".

0 comments on commit 40641b0

Please sign in to comment.
You can’t perform that action at this time.