fix CORS origins to avoid domain hijacking

Signed-off-by: Marcos Lilljedahl <marcosnils@gmail.com>
play-with-docker · Mar 2, 2023 · ed82247 · ed82247
1 parent 2b95e66
commit ed82247
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/handlers/bootstrap.go b/handlers/bootstrap.go
@@ -70,10 +70,10 @@ func Register(extend HandlerExtender) {
 
 	corsHandler := gh.CORS(gh.AllowCredentials(), gh.AllowedHeaders([]string{"x-requested-with", "content-type"}), gh.AllowedMethods([]string{"GET", "POST", "HEAD", "DELETE"}), gh.AllowedOriginValidator(func(origin string) bool {
 		if strings.Contains(origin, "localhost") ||
-			strings.HasSuffix(origin, "play-with-docker.com") ||
-			strings.HasSuffix(origin, "play-with-kubernetes.com") ||
-			strings.HasSuffix(origin, "docker.com") ||
-			strings.HasSuffix(origin, "play-with-go.dev") {
+			strings.HasSuffix(origin, ".play-with-docker.com") ||
+			strings.HasSuffix(origin, ".play-with-kubernetes.com") ||
+			strings.HasSuffix(origin, ".docker.com") ||
+			strings.HasSuffix(origin, ".play-with-go.dev") {
 			return true
 		}
 		return false