-
Notifications
You must be signed in to change notification settings - Fork 2
/
cors.go
222 lines (198 loc) · 6.19 KB
/
cors.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
package mango
import (
"net/http"
"strconv"
"strings"
)
// CORSConfig holds CORS configuration. It can be used as
// the configuration for an individual resource or as a
// global configuration for the entire router tree.
type CORSConfig struct {
// Origins list all permitted origins. A CORS request
// origin MUST be in the Origins list for the response
// headers to be populated with the correct response.
// Values must contain the scheme (e.g. http://here.com).
// A wildcard * can be used which will match ALL origins,
// however the Access-Control-Allow-Origin response header
// will always echo the request Origin if the remaining CORS
// criteria is met.
Origins []string
// Methods available for the resource. If there are methods
// listed here for which there is no handler, then that
// method will not be included in the Access-Control-Allow-Methods
// response header.
Methods []string
// Headers lists the custom headers in a request that the
// server will accept
Headers []string
// ExposedHeaders are custom headers that the client browser
// is allowed to access
ExposedHeaders []string
// Credentials controls the Access-Control-Allow-Credentials header.
// The header is only included in the response if Credentials is true,
// in which case the header has a value of "true".
// A value of true allows the client browser to access response cookies.
Credentials bool
// MaxAge is the cache duration (in seconds) that is returned
// in a Preflight Access-Control-Max-Age response header.
// A value of zero means the header won't be sent.
MaxAge int
}
func (c *CORSConfig) clone() *CORSConfig {
cl := CORSConfig{
Origins: c.Origins,
Methods: c.Methods,
Headers: c.Headers,
ExposedHeaders: c.ExposedHeaders,
Credentials: c.Credentials,
MaxAge: c.MaxAge,
}
return &cl
}
const allValues = "*"
var simpleHeaders = []string{"accept", "accept-language", "content-language"}
var simpleMethods = []string{"GET", "HEAD", "POST"}
func (c *CORSConfig) originAllowed(origin string) bool {
return stringInSlice(allValues, c.Origins) ||
stringInSlice(origin, c.Origins)
}
func (c *CORSConfig) methodAllowed(method string) bool {
return stringInSlice(method, c.allMethods())
}
func (c *CORSConfig) allMethods() []string {
return appendIfNotExists(simpleMethods, c.Methods)
}
func (c *CORSConfig) headersAllowed(headers string) (allowedHeaders []string, allowed bool) {
rh := strings.Split(headers, ",")
OUTER:
for i := 0; i < len(rh); i++ {
// Access-Control-Request-Headers "should" contain lowercase headers,
// but not all browsers seem to respect this; convert to lowercase to be sure.
requestedHeader := strings.ToLower(strings.TrimSpace(rh[i]))
if requestedHeader == "" {
continue
}
// Simple headers should not be included in ACRH, but not all browsers
// follow this either; for example, Chrome includes them, but Firefox
// does not.
//
// Each ACRH needs to match something or the preflight will fail, so
// exmaine header to see if is simple, but do not include in the
// result
for _, sh := range simpleHeaders {
if requestedHeader == sh {
continue OUTER
}
}
// Check against resource configured allowed headers
for _, ah := range c.Headers {
if requestedHeader == strings.ToLower(ah) {
allowedHeaders = append(allowedHeaders, ah)
continue OUTER
} else if ah == allValues {
allowedHeaders = append(allowedHeaders, http.CanonicalHeaderKey(requestedHeader))
continue OUTER
}
}
// Treat Content-Type as a special case, as it is similar to a simple
// header, except it should be included in the result
if requestedHeader == "content-type" {
allowedHeaders = append(allowedHeaders, "Content-Type")
continue
}
allowed = false
return
}
allowed = true
return
}
func stringInSlice(a string, list []string) bool {
for _, b := range list {
if b == a {
return true
}
}
return false
}
func appendIfNotExists(dest []string, src []string) []string {
for _, v := range src {
if !stringInSlice(v, dest) {
dest = append(dest, v)
}
}
return dest
}
func (c *CORSConfig) merge(m CORSConfig) {
c.Origins = appendIfNotExists(c.Origins, m.Origins)
c.Methods = appendIfNotExists(c.Methods, m.Methods)
c.Headers = appendIfNotExists(c.Headers, m.Headers)
c.ExposedHeaders = appendIfNotExists(c.ExposedHeaders, m.ExposedHeaders)
c.Credentials = m.Credentials
c.MaxAge = m.MaxAge
}
// type CORSType int
//
// const (
// NoCORS CORSType = 0 + iota
// SimpleCORS
// PreflightCORS
// )
func handleCORS(req *http.Request, w http.ResponseWriter, resource *Resource) (preflight bool) {
origin := req.Header.Get("Origin")
corsConf := (*resource).CORSConfig
if corsConf == nil {
return
}
if !(*corsConf).originAllowed(origin) {
return
}
if req.Method == "OPTIONS" {
// check for preflight
method := req.Header.Get("Access-Control-Request-Method")
if method == "" {
return
}
preflight = true
if !corsConf.methodAllowed(method) {
return
}
if _, ok := resource.Handlers[method]; !ok {
return
}
requestHeaders := req.Header["Access-Control-Request-Headers"]
reqHeaders := strings.Join(requestHeaders, ",")
allowedHeaders, ok := corsConf.headersAllowed(reqHeaders)
if !ok {
return
}
// Preflight successful!
// Now set relevant Access-Control-Allow-X response headers...
// Could just set Access-Control-Allow-Methods to single method in
// Access-Control-Request-Method, but returning all acceptable methods
// for a resource is better for caching
for _, m := range corsConf.allMethods() {
if _, ok := resource.Handlers[m]; !ok {
continue
}
w.Header().Add("Access-Control-Allow-Methods", m)
}
for _, h := range allowedHeaders {
w.Header().Add("Access-Control-Allow-Headers", h)
}
if (*corsConf).MaxAge > 0 {
maStr := strconv.Itoa((*corsConf).MaxAge)
w.Header().Set("Access-Control-Max-Age", maStr)
}
} else {
// normal request
for _, h := range (*corsConf).ExposedHeaders {
w.Header().Add("Access-Control-Expose-Headers", h)
}
}
w.Header().Set("Access-Control-Allow-Origin", origin)
w.Header().Add("Vary", "Origin")
if (*corsConf).Credentials {
w.Header().Set("Access-Control-Allow-Credentials", "true")
}
return
}