Skip to content

Commit ed82247

Browse files
committed
fix CORS origins to avoid domain hijacking
Signed-off-by: Marcos Lilljedahl <marcosnils@gmail.com>
1 parent 2b95e66 commit ed82247

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

Diff for: handlers/bootstrap.go

+4-4
Original file line numberDiff line numberDiff line change
@@ -70,10 +70,10 @@ func Register(extend HandlerExtender) {
7070

7171
corsHandler := gh.CORS(gh.AllowCredentials(), gh.AllowedHeaders([]string{"x-requested-with", "content-type"}), gh.AllowedMethods([]string{"GET", "POST", "HEAD", "DELETE"}), gh.AllowedOriginValidator(func(origin string) bool {
7272
if strings.Contains(origin, "localhost") ||
73-
strings.HasSuffix(origin, "play-with-docker.com") ||
74-
strings.HasSuffix(origin, "play-with-kubernetes.com") ||
75-
strings.HasSuffix(origin, "docker.com") ||
76-
strings.HasSuffix(origin, "play-with-go.dev") {
73+
strings.HasSuffix(origin, ".play-with-docker.com") ||
74+
strings.HasSuffix(origin, ".play-with-kubernetes.com") ||
75+
strings.HasSuffix(origin, ".docker.com") ||
76+
strings.HasSuffix(origin, ".play-with-go.dev") {
7777
return true
7878
}
7979
return false

0 commit comments

Comments
 (0)