Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

repo/http: add CORS headers to allow clone/push from browser agents #4970

merged 1 commit into from Mar 14, 2018
Changes from all commits
File filter
Filter by extension
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
@@ -635,8 +635,10 @@ func runWeb(c *cli.Context) error {
// e.g. with or without ".git" suffix.
m.Group("/:reponame([\\d\\w-_\\.]+\\.git$)", func() {
m.Get("", ignSignIn, context.RepoAssignment(), context.RepoRef(), repo.Home)
m.Options("/*", ignSignInAndCsrf, repo.HTTPContexter(), repo.HTTP)
m.Route("/*", "GET,POST", ignSignInAndCsrf, repo.HTTPContexter(), repo.HTTP)
m.Options("/:reponame/*", ignSignInAndCsrf, repo.HTTPContexter(), repo.HTTP)
m.Route("/:reponame/*", "GET,POST", ignSignInAndCsrf, repo.HTTPContexter(), repo.HTTP)
// ***** END: Repository *****
@@ -56,6 +56,18 @@ func askCredentials(c *context.Context, status int, text string) {

func HTTPContexter() macaron.Handler {
return func(c *context.Context) {
if len(setting.HTTP.AccessControlAllowOrigin) > 0 {
// Set CORS headers for browser-based git clients
c.Resp.Header().Set("Access-Control-Allow-Origin", setting.HTTP.AccessControlAllowOrigin)
c.Resp.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")

// Handle preflight OPTIONS request
if c.Req.Method == "OPTIONS" {

ownerName := c.Params(":username")
repoName := strings.TrimSuffix(c.Params(":reponame"), ".git")
repoName = strings.TrimSuffix(repoName, ".wiki")