Compare commits

..

No commits in common. "master" and "new" have entirely different histories.
master ... new

7 changed files with 51 additions and 84 deletions

View File

@ -2,10 +2,9 @@ language: go
sudo: false sudo: false
go: go:
- 1.6.x - 1.5.4
- 1.7.x - 1.6.3
- 1.8.x - 1.7.3
- 1.9.x
- tip - tip
script: script:

View File

@ -4,7 +4,8 @@
[![codecov](https://codecov.io/gh/gin-contrib/cors/branch/master/graph/badge.svg)](https://codecov.io/gh/gin-contrib/cors) [![codecov](https://codecov.io/gh/gin-contrib/cors/branch/master/graph/badge.svg)](https://codecov.io/gh/gin-contrib/cors)
[![Go Report Card](https://goreportcard.com/badge/github.com/gin-contrib/cors)](https://goreportcard.com/report/github.com/gin-contrib/cors) [![Go Report Card](https://goreportcard.com/badge/github.com/gin-contrib/cors)](https://goreportcard.com/report/github.com/gin-contrib/cors)
[![GoDoc](https://godoc.org/github.com/gin-contrib/cors?status.svg)](https://godoc.org/github.com/gin-contrib/cors) [![GoDoc](https://godoc.org/github.com/gin-contrib/cors?status.svg)](https://godoc.org/github.com/gin-contrib/cors)
[![Join the chat at https://gitter.im/gin-gonic/gin](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/gin-gonic/gin) [![Join the chat at https://gitter.im/gin-gonic/gin](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/gin-gonic/gin?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
Gin middleware/handler to enable CORS support. Gin middleware/handler to enable CORS support.
@ -12,16 +13,16 @@ Gin middleware/handler to enable CORS support.
### Start using it ### Start using it
Download and install it: 1. Download and install it:
```sh ```sh
$ go get github.com/gin-contrib/cors $ go get gopkg.in/gin-contrib/cors.v1
``` ```
Import it in your code: 2. Import it in your code:
```go ```go
import "github.com/gin-contrib/cors" import "gopkg.in/gin-contrib/cors.v1"
``` ```
### Canonical example: ### Canonical example:
@ -32,8 +33,8 @@ package main
import ( import (
"time" "time"
"github.com/gin-contrib/cors" "gopkg.in/gin-contrib/cors.v1"
"github.com/gin-gonic/gin" "gopkg.in/gin-gonic/gin.v1"
) )
func main() { func main() {

View File

@ -3,12 +3,11 @@ package cors
import ( import (
"net/http" "net/http"
"github.com/gin-gonic/gin" "gopkg.in/gin-gonic/gin.v1"
) )
type cors struct { type cors struct {
allowAllOrigins bool allowAllOrigins bool
allowCredentials bool
allowOriginFunc func(string) bool allowOriginFunc func(string) bool
allowOrigins []string allowOrigins []string
exposeHeaders []string exposeHeaders []string
@ -23,7 +22,6 @@ func newCors(config Config) *cors {
return &cors{ return &cors{
allowOriginFunc: config.AllowOriginFunc, allowOriginFunc: config.AllowOriginFunc,
allowAllOrigins: config.AllowAllOrigins, allowAllOrigins: config.AllowAllOrigins,
allowCredentials: config.AllowCredentials,
allowOrigins: normalize(config.AllowOrigins), allowOrigins: normalize(config.AllowOrigins),
normalHeaders: generateNormalHeaders(config), normalHeaders: generateNormalHeaders(config),
preflightHeaders: generatePreflightHeaders(config), preflightHeaders: generatePreflightHeaders(config),

10
cors.go
View File

@ -5,7 +5,7 @@ import (
"strings" "strings"
"time" "time"
"github.com/gin-gonic/gin" "gopkg.in/gin-gonic/gin.v1"
) )
// Config represents all available options for the middleware. // Config represents all available options for the middleware.
@ -14,7 +14,7 @@ type Config struct {
// AllowedOrigins is a list of origins a cross-domain request can be executed from. // AllowedOrigins is a list of origins a cross-domain request can be executed from.
// If the special "*" value is present in the list, all origins will be allowed. // If the special "*" value is present in the list, all origins will be allowed.
// Default value is [] // Default value is ["*"]
AllowOrigins []string AllowOrigins []string
// AllowOriginFunc is a custom function to validate the origin. It take the origin // AllowOriginFunc is a custom function to validate the origin. It take the origin
@ -28,6 +28,8 @@ type Config struct {
// AllowedHeaders is list of non simple headers the client is allowed to use with // AllowedHeaders is list of non simple headers the client is allowed to use with
// cross-domain requests. // cross-domain requests.
// If the special "*" value is present in the list, all headers will be allowed.
// Default value is [] but "Origin" is always appended to the list.
AllowHeaders []string AllowHeaders []string
// AllowCredentials indicates whether the request can include user credentials like // AllowCredentials indicates whether the request can include user credentials like
@ -67,8 +69,8 @@ func (c Config) Validate() error {
return errors.New("conflict settings: all origins disabled") return errors.New("conflict settings: all origins disabled")
} }
for _, origin := range c.AllowOrigins { for _, origin := range c.AllowOrigins {
if origin != "*" && !strings.HasPrefix(origin, "http://") && !strings.HasPrefix(origin, "https://") { if !strings.HasPrefix(origin, "http://") && !strings.HasPrefix(origin, "https://") {
return errors.New("bad origin: origins must either be '*' or include http:// or https://") return errors.New("bad origin: origins must include http:// or https://")
} }
} }
return nil return nil

View File

@ -3,12 +3,11 @@ package cors
import ( import (
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"strings"
"testing" "testing"
"time" "time"
"github.com/gin-gonic/gin"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"gopkg.in/gin-gonic/gin.v1"
) )
func init() { func init() {
@ -95,14 +94,6 @@ func TestNormalize(t *testing.T) {
assert.Equal(t, values, []string{}) assert.Equal(t, values, []string{})
} }
func TestConvert(t *testing.T) {
methods := []string{"Get", "GET", "get"}
headers := []string{"X-CSRF-TOKEN", "X-CSRF-Token", "x-csrf-token"}
assert.Equal(t, []string{"GET", "GET", "GET"}, convert(methods, strings.ToUpper))
assert.Equal(t, []string{"X-Csrf-Token", "X-Csrf-Token", "X-Csrf-Token"}, convert(headers, http.CanonicalHeaderKey))
}
func TestGenerateNormalHeaders_AllowAllOrigins(t *testing.T) { func TestGenerateNormalHeaders_AllowAllOrigins(t *testing.T) {
header := generateNormalHeaders(Config{ header := generateNormalHeaders(Config{
AllowAllOrigins: false, AllowAllOrigins: false,
@ -132,7 +123,7 @@ func TestGenerateNormalHeaders_ExposedHeaders(t *testing.T) {
header := generateNormalHeaders(Config{ header := generateNormalHeaders(Config{
ExposeHeaders: []string{"X-user", "xPassword"}, ExposeHeaders: []string{"X-user", "xPassword"},
}) })
assert.Equal(t, header.Get("Access-Control-Expose-Headers"), "X-User,Xpassword") assert.Equal(t, header.Get("Access-Control-Expose-Headers"), "x-user,xpassword")
assert.Equal(t, header.Get("Vary"), "Origin") assert.Equal(t, header.Get("Vary"), "Origin")
assert.Len(t, header, 2) assert.Len(t, header, 2)
} }
@ -166,7 +157,7 @@ func TestGeneratePreflightHeaders_AllowedMethods(t *testing.T) {
header := generatePreflightHeaders(Config{ header := generatePreflightHeaders(Config{
AllowMethods: []string{"GET ", "post", "PUT", " put "}, AllowMethods: []string{"GET ", "post", "PUT", " put "},
}) })
assert.Equal(t, header.Get("Access-Control-Allow-Methods"), "GET,POST,PUT") assert.Equal(t, header.Get("Access-Control-Allow-Methods"), "get,post,put")
assert.Equal(t, header.Get("Vary"), "Origin") assert.Equal(t, header.Get("Vary"), "Origin")
assert.Len(t, header, 2) assert.Len(t, header, 2)
} }
@ -175,7 +166,7 @@ func TestGeneratePreflightHeaders_AllowedHeaders(t *testing.T) {
header := generatePreflightHeaders(Config{ header := generatePreflightHeaders(Config{
AllowHeaders: []string{"X-user", "Content-Type"}, AllowHeaders: []string{"X-user", "Content-Type"},
}) })
assert.Equal(t, header.Get("Access-Control-Allow-Headers"), "X-User,Content-Type") assert.Equal(t, header.Get("Access-Control-Allow-Headers"), "x-user,content-type")
assert.Equal(t, header.Get("Vary"), "Origin") assert.Equal(t, header.Get("Vary"), "Origin")
assert.Len(t, header, 2) assert.Len(t, header, 2)
} }
@ -217,7 +208,7 @@ func TestPassesAllowedOrigins(t *testing.T) {
AllowMethods: []string{" GeT ", "get", "post", "PUT ", "Head", "POST"}, AllowMethods: []string{" GeT ", "get", "post", "PUT ", "Head", "POST"},
AllowHeaders: []string{"Content-type", "timeStamp "}, AllowHeaders: []string{"Content-type", "timeStamp "},
ExposeHeaders: []string{"Data", "x-User"}, ExposeHeaders: []string{"Data", "x-User"},
AllowCredentials: false, AllowCredentials: true,
MaxAge: 12 * time.Hour, MaxAge: 12 * time.Hour,
AllowOriginFunc: func(origin string) bool { AllowOriginFunc: func(origin string) bool {
return origin == "http://github.com" return origin == "http://github.com"
@ -226,43 +217,37 @@ func TestPassesAllowedOrigins(t *testing.T) {
// no CORS request, origin == "" // no CORS request, origin == ""
w := performRequest(router, "GET", "") w := performRequest(router, "GET", "")
assert.Equal(t, "get", w.Body.String()) assert.Equal(t, w.Body.String(), "get")
assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin")) assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin"))
assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials")) assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
assert.Empty(t, w.Header().Get("Access-Control-Expose-Headers")) assert.Empty(t, w.Header().Get("Access-Control-Expose-Headers"))
// allowed CORS request // allowed CORS request
w = performRequest(router, "GET", "http://google.com") w = performRequest(router, "GET", "http://google.com")
assert.Equal(t, "get", w.Body.String()) assert.Equal(t, w.Body.String(), "get")
assert.Equal(t, "http://google.com", w.Header().Get("Access-Control-Allow-Origin")) assert.Equal(t, w.Header().Get("Access-Control-Allow-Origin"), "http://google.com")
assert.Equal(t, "", w.Header().Get("Access-Control-Allow-Credentials")) assert.Equal(t, w.Header().Get("Access-Control-Allow-Credentials"), "true")
assert.Equal(t, "Data,X-User", w.Header().Get("Access-Control-Expose-Headers")) assert.Equal(t, w.Header().Get("Access-Control-Expose-Headers"), "data,x-user")
w = performRequest(router, "GET", "http://github.com")
assert.Equal(t, "get", w.Body.String())
assert.Equal(t, "http://github.com", w.Header().Get("Access-Control-Allow-Origin"))
assert.Equal(t, "", w.Header().Get("Access-Control-Allow-Credentials"))
assert.Equal(t, "Data,X-User", w.Header().Get("Access-Control-Expose-Headers"))
// deny CORS request // deny CORS request
w = performRequest(router, "GET", "https://google.com") w = performRequest(router, "GET", "https://google.com")
assert.Equal(t, 403, w.Code) assert.Equal(t, w.Code, 403)
assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin")) assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin"))
assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials")) assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
assert.Empty(t, w.Header().Get("Access-Control-Expose-Headers")) assert.Empty(t, w.Header().Get("Access-Control-Expose-Headers"))
// allowed CORS prefligh request // allowed CORS prefligh request
w = performRequest(router, "OPTIONS", "http://github.com") w = performRequest(router, "OPTIONS", "http://github.com")
assert.Equal(t, 200, w.Code) assert.Equal(t, w.Code, 200)
assert.Equal(t, "http://github.com", w.Header().Get("Access-Control-Allow-Origin")) assert.Equal(t, w.Header().Get("Access-Control-Allow-Origin"), "http://github.com")
assert.Equal(t, "", w.Header().Get("Access-Control-Allow-Credentials")) assert.Equal(t, w.Header().Get("Access-Control-Allow-Credentials"), "true")
assert.Equal(t, "GET,POST,PUT,HEAD", w.Header().Get("Access-Control-Allow-Methods")) assert.Equal(t, w.Header().Get("Access-Control-Allow-Methods"), "get,post,put,head")
assert.Equal(t, "Content-Type,Timestamp", w.Header().Get("Access-Control-Allow-Headers")) assert.Equal(t, w.Header().Get("Access-Control-Allow-Headers"), "content-type,timestamp")
assert.Equal(t, "43200", w.Header().Get("Access-Control-Max-Age")) assert.Equal(t, w.Header().Get("Access-Control-Max-Age"), "43200")
// deny CORS prefligh request // deny CORS prefligh request
w = performRequest(router, "OPTIONS", "http://example.com") w = performRequest(router, "OPTIONS", "http://example.com")
assert.Equal(t, 403, w.Code) assert.Equal(t, w.Code, 403)
assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin")) assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin"))
assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials")) assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
assert.Empty(t, w.Header().Get("Access-Control-Allow-Methods")) assert.Empty(t, w.Header().Get("Access-Control-Allow-Methods"))
@ -282,26 +267,24 @@ func TestPassesAllowedAllOrigins(t *testing.T) {
// no CORS request, origin == "" // no CORS request, origin == ""
w := performRequest(router, "GET", "") w := performRequest(router, "GET", "")
assert.Equal(t, "get", w.Body.String()) assert.Equal(t, w.Body.String(), "get")
assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin")) assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin"))
assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials")) assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
assert.Empty(t, w.Header().Get("Access-Control-Expose-Headers")) assert.Empty(t, w.Header().Get("Access-Control-Expose-Headers"))
assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
// allowed CORS request // allowed CORS request
w = performRequest(router, "POST", "example.com") w = performRequest(router, "POST", "example.com")
assert.Equal(t, "post", w.Body.String()) assert.Equal(t, w.Body.String(), "post")
assert.Equal(t, "*", w.Header().Get("Access-Control-Allow-Origin")) assert.Equal(t, w.Header().Get("Access-Control-Allow-Origin"), "*")
assert.Equal(t, "Data2,X-User2", w.Header().Get("Access-Control-Expose-Headers")) assert.Equal(t, w.Header().Get("Access-Control-Expose-Headers"), "data2,x-user2")
assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials")) assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
assert.Equal(t, "*", w.Header().Get("Access-Control-Allow-Origin"))
// allowed CORS prefligh request // allowed CORS prefligh request
w = performRequest(router, "OPTIONS", "https://facebook.com") w = performRequest(router, "OPTIONS", "https://facebook.com")
assert.Equal(t, 200, w.Code) assert.Equal(t, w.Code, 200)
assert.Equal(t, "*", w.Header().Get("Access-Control-Allow-Origin")) assert.Equal(t, w.Header().Get("Access-Control-Allow-Origin"), "*")
assert.Equal(t, "PATCH,GET,POST", w.Header().Get("Access-Control-Allow-Methods")) assert.Equal(t, w.Header().Get("Access-Control-Allow-Methods"), "patch,get,post")
assert.Equal(t, "Content-Type,Testheader", w.Header().Get("Access-Control-Allow-Headers")) assert.Equal(t, w.Header().Get("Access-Control-Allow-Headers"), "content-type,testheader")
assert.Equal(t, "36000", w.Header().Get("Access-Control-Max-Age")) assert.Equal(t, w.Header().Get("Access-Control-Max-Age"), "36000")
assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials")) assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
} }

View File

@ -3,8 +3,8 @@ package main
import ( import (
"time" "time"
"github.com/gin-contrib/cors" "gopkg.in/gin-contrib/cors.v1"
"github.com/gin-gonic/gin" "gopkg.in/gin-gonic/gin.v1"
) )
func main() { func main() {

View File

@ -7,15 +7,13 @@ import (
"time" "time"
) )
type converter func(string) string
func generateNormalHeaders(c Config) http.Header { func generateNormalHeaders(c Config) http.Header {
headers := make(http.Header) headers := make(http.Header)
if c.AllowCredentials { if c.AllowCredentials {
headers.Set("Access-Control-Allow-Credentials", "true") headers.Set("Access-Control-Allow-Credentials", "true")
} }
if len(c.ExposeHeaders) > 0 { if len(c.ExposeHeaders) > 0 {
exposeHeaders := convert(normalize(c.ExposeHeaders), http.CanonicalHeaderKey) exposeHeaders := normalize(c.ExposeHeaders)
headers.Set("Access-Control-Expose-Headers", strings.Join(exposeHeaders, ",")) headers.Set("Access-Control-Expose-Headers", strings.Join(exposeHeaders, ","))
} }
if c.AllowAllOrigins { if c.AllowAllOrigins {
@ -32,12 +30,12 @@ func generatePreflightHeaders(c Config) http.Header {
headers.Set("Access-Control-Allow-Credentials", "true") headers.Set("Access-Control-Allow-Credentials", "true")
} }
if len(c.AllowMethods) > 0 { if len(c.AllowMethods) > 0 {
allowMethods := convert(normalize(c.AllowMethods), strings.ToUpper) allowMethods := normalize(c.AllowMethods)
value := strings.Join(allowMethods, ",") value := strings.Join(allowMethods, ",")
headers.Set("Access-Control-Allow-Methods", value) headers.Set("Access-Control-Allow-Methods", value)
} }
if len(c.AllowHeaders) > 0 { if len(c.AllowHeaders) > 0 {
allowHeaders := convert(normalize(c.AllowHeaders), http.CanonicalHeaderKey) allowHeaders := normalize(c.AllowHeaders)
value := strings.Join(allowHeaders, ",") value := strings.Join(allowHeaders, ",")
headers.Set("Access-Control-Allow-Headers", value) headers.Set("Access-Control-Allow-Headers", value)
} }
@ -48,13 +46,7 @@ func generatePreflightHeaders(c Config) http.Header {
if c.AllowAllOrigins { if c.AllowAllOrigins {
headers.Set("Access-Control-Allow-Origin", "*") headers.Set("Access-Control-Allow-Origin", "*")
} else { } else {
// Always set Vary headers headers.Set("Vary", "Origin")
// see https://github.com/rs/cors/issues/10,
// https://github.com/rs/cors/commit/dbdca4d95feaa7511a46e6f1efb3b3aa505bc43f#commitcomment-12352001
headers.Add("Vary", "Origin")
headers.Add("Vary", "Access-Control-Request-Method")
headers.Add("Vary", "Access-Control-Request-Headers")
} }
return headers return headers
} }
@ -75,11 +67,3 @@ func normalize(values []string) []string {
} }
return normalized return normalized
} }
func convert(s []string, c converter) []string {
var out []string
for _, i := range s {
out = append(out, c(i))
}
return out
}