diff options
author | Niall Sheridan <nsheridan@gmail.com> | 2018-06-20 22:39:07 +0100 |
---|---|---|
committer | Niall Sheridan <nsheridan@gmail.com> | 2018-06-20 22:39:07 +0100 |
commit | de6d2c524430287c699aaa898c1325da6afea539 (patch) | |
tree | f78eb841208d667668a7bc92a9290d693cc7103b /vendor/github.com/gorilla/handlers | |
parent | eb99016e1629e690e55633de6fc63a14c53e7ea2 (diff) |
Update dependencies
Diffstat (limited to 'vendor/github.com/gorilla/handlers')
-rw-r--r-- | vendor/github.com/gorilla/handlers/cors.go | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/vendor/github.com/gorilla/handlers/cors.go b/vendor/github.com/gorilla/handlers/cors.go index 1f92d1a..16efb8a 100644 --- a/vendor/github.com/gorilla/handlers/cors.go +++ b/vendor/github.com/gorilla/handlers/cors.go @@ -48,7 +48,10 @@ const ( func (ch *cors) ServeHTTP(w http.ResponseWriter, r *http.Request) { origin := r.Header.Get(corsOriginHeader) if !ch.isOriginAllowed(origin) { - ch.h.ServeHTTP(w, r) + if r.Method != corsOptionMethod || ch.ignoreOptions { + ch.h.ServeHTTP(w, r) + } + return } @@ -110,7 +113,21 @@ func (ch *cors) ServeHTTP(w http.ResponseWriter, r *http.Request) { w.Header().Set(corsVaryHeader, corsOriginHeader) } - w.Header().Set(corsAllowOriginHeader, origin) + returnOrigin := origin + if ch.allowedOriginValidator == nil && len(ch.allowedOrigins) == 0 { + returnOrigin = "*" + } else { + for _, o := range ch.allowedOrigins { + // A configuration of * is different than explicitly setting an allowed + // origin. Returning arbitrary origin headers an an access control allow + // origin header is unsafe and is not required by any use case. + if o == corsOriginMatchAll { + returnOrigin = "*" + break + } + } + } + w.Header().Set(corsAllowOriginHeader, returnOrigin) if r.Method == corsOptionMethod { return @@ -149,7 +166,7 @@ func parseCORSOptions(opts ...CORSOption) *cors { ch := &cors{ allowedMethods: defaultCorsMethods, allowedHeaders: defaultCorsHeaders, - allowedOrigins: []string{corsOriginMatchAll}, + allowedOrigins: []string{}, } for _, option := range opts { @@ -297,6 +314,10 @@ func (ch *cors) isOriginAllowed(origin string) bool { return ch.allowedOriginValidator(origin) } + if len(ch.allowedOrigins) == 0 { + return true + } + for _, allowedOrigin := range ch.allowedOrigins { if allowedOrigin == origin || allowedOrigin == corsOriginMatchAll { return true |