This commit is contained in:
jub0bs 2025-03-05 21:34:05 +01:00 committed by GitHub
commit beefd7d877
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 22 additions and 4 deletions

View file

@ -20,14 +20,14 @@ import (
)
var corsHeaders = map[string]string{
"Access-Control-Allow-Headers": "Accept, Authorization, Content-Type, Origin",
"Access-Control-Allow-Headers": "Accept, Authorization, Content-Type",
"Access-Control-Allow-Methods": "GET, POST, OPTIONS",
"Access-Control-Expose-Headers": "Date",
"Vary": "Origin",
}
// SetCORS enables cross-site script calls.
// SetCORS enables cross-origin script calls.
func SetCORS(w http.ResponseWriter, o *regexp.Regexp, r *http.Request) {
w.Header().Add("Vary", "Origin")
origin := r.Header.Get("Origin")
if origin == "" {
return

View file

@ -48,8 +48,10 @@ func TestCORSHandler(t *testing.T) {
resp, err := client.Do(req)
require.NoError(t, err, "client get failed with unexpected error")
AccessControlAllowOrigin := resp.Header.Get("Access-Control-Allow-Origin")
Vary := resp.Header.Get("Vary")
require.Equal(t, "Origin", Vary, `expected "Vary: Origin" header`)
AccessControlAllowOrigin := resp.Header.Get("Access-Control-Allow-Origin")
require.Equal(t, dummyOrigin, AccessControlAllowOrigin, "expected Access-Control-Allow-Origin header")
// OPTIONS with bad origin
@ -62,4 +64,20 @@ func TestCORSHandler(t *testing.T) {
AccessControlAllowOrigin = resp.Header.Get("Access-Control-Allow-Origin")
require.Empty(t, AccessControlAllowOrigin, "Access-Control-Allow-Origin header should not exist but it was set")
Vary = resp.Header.Get("Vary")
require.Equal(t, "Origin", Vary, `expected "Vary: Origin" header`)
// OPTIONS with no origin
req, err = http.NewRequest(http.MethodOptions, server.URL+"/any_path", nil)
require.NoError(t, err, "could not create request")
resp, err = client.Do(req)
require.NoError(t, err, "client get failed with unexpected error")
Vary = resp.Header.Get("Vary")
require.Equal(t, "Origin", Vary, `expected "Vary: Origin" header`)
AccessControlAllowOrigin = resp.Header.Get("Access-Control-Allow-Origin")
require.Empty(t, AccessControlAllowOrigin, "Access-Control-Allow-Origin header should not exist but it was set")
}