-
Notifications
You must be signed in to change notification settings - Fork 0
/
cors.go
82 lines (72 loc) · 3.03 KB
/
cors.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
package advhttp
import (
"fmt"
"net/http"
"strings"
)
const (
CorsOrigin = "Origin"
CorsAccessControlRequestMethod = "Access-Control-Request-Method"
CorsAccessControlRequestHeader = "Access-Control-Request-Header"
CorsAccessControlAllowOrigin = "Access-Control-Allow-Origin"
CorsAccessControlAllowMethods = "Access-Control-Allow-Methods"
CorsAccessControlAllowHeaders = "Access-Control-Allow-Headers"
CorsAccessControlAllowCredentials = "Access-Control-Allow-Credentials"
CorsAccessControlExposeHeaders = "Access-Control-Expose-Headers"
CorsAccessControlMaxAge = "Access-Control-Max-Age"
)
var (
CorsDefaultAllowOrigin = "*"
CorsDefaultAllowHeaders = []string{"Location", "Content-Type", "ETag", "Accept-Patch"}
CorsDefaultAllowMethods = []string{"OPTIONS", "HEAD", "GET", "POST", "PUT", "PATCH", "DELETE"}
CorsDefaultExposeHeaders = []string{"Location", "Content-Type", "ETag", "Accept-Patch"}
CorsDefaultMaxAge = int64(1728000)
CorsDefaultAllowCredentials = true
)
type Cors struct {
AllowOrigin string
AllowHeaders []string
AllowMethods []string
ExposeHeaders []string
MaxAge int64
AllowCredentials bool
}
//This function will write out cross origin headers so that javascript clients can call apis.
func (cors *Cors) ProcessCors(w http.ResponseWriter, r *http.Request) {
//Following this flowchart: http://www.html5rocks.com/static/images/cors_server_flowchart.png
//Does the request have an Origin Header
if r.Header.Get(CorsOrigin) == "" {
//Not a valid CORS request
return
}
//Is the HTTP method an OPTIONS request and does it have a valid Access-Control-Request-Method header?
if r.Method == "OPTIONS" && r.Header.Get(CorsAccessControlRequestMethod) != "" {
//Does the request have an Access-Control-Request-Header header?
if r.Header.Get(CorsAccessControlRequestHeader) != "" {
//Is the Access-Control-Request-Header header valid? Yes...
w.Header().Set(CorsAccessControlAllowHeaders, r.Header.Get(CorsAccessControlRequestHeader))
} else {
//Set the Access-Control-Allow-Headers response header
w.Header().Set(CorsAccessControlAllowHeaders, strings.Join(cors.AllowHeaders, ","))
}
//Set the Access-Control-Allow-Methods header
w.Header().Set(CorsAccessControlAllowMethods, strings.Join(cors.AllowMethods, ","))
//Optional Set the Access-Control-Max-Age response header
w.Header().Set(CorsAccessControlMaxAge, fmt.Sprintf("%d", cors.MaxAge))
} else {
//Actual Request
w.Header().Set(CorsAccessControlExposeHeaders, strings.Join(cors.ExposeHeaders, ","))
}
//Set the Access-Control-Allow-Origin header
if cors.AllowOrigin == "" {
w.Header().Set(CorsAccessControlAllowOrigin, r.Header.Get("Origin"))
} else {
w.Header().Set(CorsAccessControlAllowOrigin, cors.AllowOrigin)
}
//Are cookies allowed?
w.Header().Set(CorsAccessControlAllowCredentials, fmt.Sprintf("%t", cors.AllowCredentials))
}
var DefaultCors *Cors
func ProcessCors(w http.ResponseWriter, r *http.Request) {
DefaultCors.ProcessCors(w, r)
}