Add origin option so CORS can be configured to a specified policy (#73)

igm · Jun 21, 2019 · 7e107b4 · 7e107b4
1 parent 1840ed9
commit 7e107b4
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 12 deletions.
diff --git a/sockjs/handler.go b/sockjs/handler.go
@@ -37,7 +37,7 @@ func newHandler(prefix string, opts Options, handlerFunc func(Session)) *handler
 		handlerFunc: handlerFunc,
 		sessions:    make(map[string]*session),
 	}
-
+	xhrCors := xhrCorsFactory(opts.Origin)
 	sessionPrefix := prefix + "/[^/.]+/[^/.]+"
 	h.mappings = []*mapping{
 		newMapping("GET", prefix+"[/]?$", welcomeHandler),

diff --git a/sockjs/options.go b/sockjs/options.go
@@ -58,6 +58,9 @@ type Options struct {
 	// This setting controls if the server should set this cookie to a dummy value.
 	// By default setting JSessionID cookie is disabled. More sophisticated behaviour can be achieved by supplying a function.
 	JSessionID func(http.ResponseWriter, *http.Request)
+	// CORS origin to be set on outgoing responses. If set to the empty string, it will default to the
+	// incoming `Origin` header, or "*" if the Origin header isn't set.
+	Origin string
 }
 
 // DefaultOptions is a convenient set of options to be used for sockjs

diff --git a/sockjs/web.go b/sockjs/web.go
@@ -6,18 +6,23 @@ import (
 	"time"
 )
 
-func xhrCors(rw http.ResponseWriter, req *http.Request) {
-	header := rw.Header()
-	origin := req.Header.Get("origin")
-	if origin == "" {
-		origin = "*"
+func xhrCorsFactory(defaultOrigin string) func(rw http.ResponseWriter, req *http.Request) {
+	return func(rw http.ResponseWriter, req *http.Request) {
+		header := rw.Header()
+		origin := defaultOrigin
+		if origin == "" {
+			origin = req.Header.Get("origin")
+		}
+		if origin == "" || origin == "null" {
+			origin = "*"
+		}
+		header.Set("Access-Control-Allow-Origin", origin)
+
+		if allowHeaders := req.Header.Get("Access-Control-Request-Headers"); allowHeaders != "" && allowHeaders != "null" {
+			header.Add("Access-Control-Allow-Headers", allowHeaders)
+		}
+		header.Set("Access-Control-Allow-Credentials", "true")
 	}
-	header.Set("Access-Control-Allow-Origin", origin)
-
-	if allowHeaders := req.Header.Get("Access-Control-Request-Headers"); allowHeaders != "" && allowHeaders != "null" {
-		header.Add("Access-Control-Allow-Headers", allowHeaders)
-	}
-	header.Set("Access-Control-Allow-Credentials", "true")
 }
 
 func xhrOptions(rw http.ResponseWriter, req *http.Request) {

diff --git a/sockjs/web_test.go b/sockjs/web_test.go
@@ -10,6 +10,7 @@ import (
 func TestXhrCors(t *testing.T) {
 	recorder := httptest.NewRecorder()
 	req, _ := http.NewRequest("GET", "/", nil)
+	xhrCors := xhrCorsFactory("")
 	xhrCors(recorder, req)
 	acao := recorder.Header().Get("access-control-allow-origin")
 	if acao != "*" {