echo/middleware/cors.go

package middleware

import (
	"net/http"
	"regexp"
	"strconv"
	"strings"

	"github.com/labstack/echo/v4"
)

type (
	// CORSConfig defines the config for CORS middleware.
	CORSConfig struct {
		// Skipper defines a function to skip middleware.
		Skipper Skipper

		// AllowOrigin defines a list of origins that may access the resource.
		// Optional. Default value []string{"*"}.
		AllowOrigins []string `yaml:"allow_origins"`

		// AllowOriginFunc is a custom function to validate the origin. It takes the
		// origin as an argument and returns true if allowed or false otherwise. If
		// an error is returned, it is returned by the handler. If this option is
		// set, AllowOrigins is ignored.
		// Optional.
		AllowOriginFunc func(origin string) (bool, error) `yaml:"allow_origin_func"`

		// AllowMethods defines a list methods allowed when accessing the resource.
		// This is used in response to a preflight request.
		// Optional. Default value DefaultCORSConfig.AllowMethods.
		AllowMethods []string `yaml:"allow_methods"`

		// AllowHeaders defines a list of request headers that can be used when
		// making the actual request. This is in response to a preflight request.
		// Optional. Default value []string{}.
		AllowHeaders []string `yaml:"allow_headers"`

		// AllowCredentials indicates whether or not the response to the request
		// can be exposed when the credentials flag is true. When used as part of
		// a response to a preflight request, this indicates whether or not the
		// actual request can be made using credentials.
		// Optional. Default value false.
		AllowCredentials bool `yaml:"allow_credentials"`

		// ExposeHeaders defines a whitelist headers that clients are allowed to
		// access.
		// Optional. Default value []string{}.
		ExposeHeaders []string `yaml:"expose_headers"`

		// MaxAge indicates how long (in seconds) the results of a preflight request
		// can be cached.
		// Optional. Default value 0.
		MaxAge int `yaml:"max_age"`
	}
)

var (
	// DefaultCORSConfig is the default CORS middleware config.
	DefaultCORSConfig = CORSConfig{
		Skipper:      DefaultSkipper,
		AllowOrigins: []string{"*"},
		AllowMethods: []string{http.MethodGet, http.MethodHead, http.MethodPut, http.MethodPatch, http.MethodPost, http.MethodDelete},
	}
)

// CORS returns a Cross-Origin Resource Sharing (CORS) middleware.
// See: https://developer.mozilla.org/en/docs/Web/HTTP/Access_control_CORS
func CORS() echo.MiddlewareFunc {
	return CORSWithConfig(DefaultCORSConfig)
}

// CORSWithConfig returns a CORS middleware with config.
// See: `CORS()`.
func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
	// Defaults
	if config.Skipper == nil {
		config.Skipper = DefaultCORSConfig.Skipper
	}
	if len(config.AllowOrigins) == 0 {
		config.AllowOrigins = DefaultCORSConfig.AllowOrigins
	}
	if len(config.AllowMethods) == 0 {
		config.AllowMethods = DefaultCORSConfig.AllowMethods
	}

	allowOriginPatterns := []string{}
	for _, origin := range config.AllowOrigins {
		pattern := regexp.QuoteMeta(origin)
		pattern = strings.Replace(pattern, "\\*", ".*", -1)
		pattern = strings.Replace(pattern, "\\?", ".", -1)
		pattern = "^" + pattern + "$"
		allowOriginPatterns = append(allowOriginPatterns, pattern)
	}

	allowMethods := strings.Join(config.AllowMethods, ",")
	allowHeaders := strings.Join(config.AllowHeaders, ",")
	exposeHeaders := strings.Join(config.ExposeHeaders, ",")
	maxAge := strconv.Itoa(config.MaxAge)

	return func(next echo.HandlerFunc) echo.HandlerFunc {
		return func(c echo.Context) error {
			if config.Skipper(c) {
				return next(c)
			}

			req := c.Request()
			res := c.Response()
			origin := req.Header.Get(echo.HeaderOrigin)
			allowOrigin := ""

			preflight := req.Method == http.MethodOptions
			res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)

			// No Origin provided
			if origin == "" {
				if !preflight {
					return next(c)
				}
				return c.NoContent(http.StatusNoContent)
			}

			if config.AllowOriginFunc != nil {
				allowed, err := config.AllowOriginFunc(origin)
				if err != nil {
					return err
				}
				if allowed {
					allowOrigin = origin
				}
			} else {
				// Check allowed origins
				for _, o := range config.AllowOrigins {
					if o == "*" && config.AllowCredentials {
						allowOrigin = origin
						break
					}
					if o == "*" || o == origin {
						allowOrigin = o
						break
					}
					if matchSubdomain(origin, o) {
						allowOrigin = origin
						break
					}
				}

				// Check allowed origin patterns
				for _, re := range allowOriginPatterns {
					if allowOrigin == "" {
						didx := strings.Index(origin, "://")
						if didx == -1 {
							continue
						}
						domAuth := origin[didx+3:]
						// to avoid regex cost by invalid long domain
						if len(domAuth) > 253 {
							break
						}

						if match, _ := regexp.MatchString(re, origin); match {
							allowOrigin = origin
							break
						}
					}
				}
			}

			// Origin not allowed
			if allowOrigin == "" {
				if !preflight {
					return next(c)
				}
				return c.NoContent(http.StatusNoContent)
			}

			// Simple request
			if !preflight {
				res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowOrigin)
				if config.AllowCredentials {
					res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")
				}
				if exposeHeaders != "" {
					res.Header().Set(echo.HeaderAccessControlExposeHeaders, exposeHeaders)
				}
				return next(c)
			}

			// Preflight request
			res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestMethod)
			res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestHeaders)
			res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowOrigin)
			res.Header().Set(echo.HeaderAccessControlAllowMethods, allowMethods)
			if config.AllowCredentials {
				res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")
			}
			if allowHeaders != "" {
				res.Header().Set(echo.HeaderAccessControlAllowHeaders, allowHeaders)
			} else {
				h := req.Header.Get(echo.HeaderAccessControlRequestHeaders)
				if h != "" {
					res.Header().Set(echo.HeaderAccessControlAllowHeaders, h)
				}
			}
			if config.MaxAge > 0 {
				res.Header().Set(echo.HeaderAccessControlMaxAge, maxAge)
			}
			return c.NoContent(http.StatusNoContent)
		}
	}
}
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`package middleware`

			`import (`
			`"net/http"`
cors allow regex pattern enable cors to use regex pattern for allowed origins implementation is similar to another popular cors middleware: https://github.com/astaxie/beego/blob/master/plugins/cors/cors.go#L196-L201 2020-08-18 03:39:54 +02:00			`"regexp"`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`"strconv"`
			`"strings"`

Introduced Go module support as v4, removed obsolete CloseNotifier() mechanism This reintroduces support for Go modules, as v4. CloseNotifier() is removed as it has been obsoleted, see https://golang.org/doc/go1.11#net/http It was already NOT working (not sending signals) as of 1.11 the functionality was gone, we merely deleted the functions that exposed it. If anyone still relies on it they should migrate to using `c.Request().Context().Done()` instead. Closes #1268, #1255 2019-01-30 12:56:56 +02:00			`"github.com/labstack/echo/v4"`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`)`

			`type (`
			`// CORSConfig defines the config for CORS middleware.`
			`CORSConfig struct {`
Ability to skip a middleware via callback Signed-off-by: Vishal Rana <vr@labstack.com> 2016-07-27 18:34:44 +02:00			`// Skipper defines a function to skip middleware.`
			`Skipper Skipper`

Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`// AllowOrigin defines a list of origins that may access the resource.`
fixed ##743 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-11-22 00:42:13 +02:00			`// Optional. Default value []string{"*"}.`
Implemented rewrite middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2017-12-28 21:24:34 +02:00			AllowOrigins []string `yaml:"allow_origins"`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00
CORS: add an optional custom function to validate the origin 2020-10-09 11:07:29 +02:00			`// AllowOriginFunc is a custom function to validate the origin. It takes the`
			`// origin as an argument and returns true if allowed or false otherwise. If`
			`// an error is returned, it is returned by the handler. If this option is`
			`// set, AllowOrigins is ignored.`
			`// Optional.`
			AllowOriginFunc func(origin string) (bool, error) `yaml:"allow_origin_func"`

Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`// AllowMethods defines a list methods allowed when accessing the resource.`
			`// This is used in response to a preflight request.`
Updated docs, changes to static middleware config Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-10 20:52:04 +02:00			`// Optional. Default value DefaultCORSConfig.AllowMethods.`
Implemented rewrite middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2017-12-28 21:24:34 +02:00			AllowMethods []string `yaml:"allow_methods"`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00
			`// AllowHeaders defines a list of request headers that can be used when`
Updated comment. (#1245) 2019-01-10 01:15:33 +02:00			`// making the actual request. This is in response to a preflight request.`
Updated docs, changes to static middleware config Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-10 20:52:04 +02:00			`// Optional. Default value []string{}.`
Implemented rewrite middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2017-12-28 21:24:34 +02:00			AllowHeaders []string `yaml:"allow_headers"`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00
			`// AllowCredentials indicates whether or not the response to the request`
			`// can be exposed when the credentials flag is true. When used as part of`
			`// a response to a preflight request, this indicates whether or not the`
			`// actual request can be made using credentials.`
Updated docs, changes to static middleware config Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-10 20:52:04 +02:00			`// Optional. Default value false.`
Implemented rewrite middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2017-12-28 21:24:34 +02:00			AllowCredentials bool `yaml:"allow_credentials"`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00
			`// ExposeHeaders defines a whitelist headers that clients are allowed to`
			`// access.`
Updated docs, changes to static middleware config Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-10 20:52:04 +02:00			`// Optional. Default value []string{}.`
Implemented rewrite middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2017-12-28 21:24:34 +02:00			ExposeHeaders []string `yaml:"expose_headers"`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00
			`// MaxAge indicates how long (in seconds) the results of a preflight request`
			`// can be cached.`
Updated docs, changes to static middleware config Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-10 20:52:04 +02:00			`// Optional. Default value 0.`
Implemented rewrite middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2017-12-28 21:24:34 +02:00			MaxAge int `yaml:"max_age"`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`}`
			`)`

			`var (`
			`// DefaultCORSConfig is the default CORS middleware config.`
			`DefaultCORSConfig = CORSConfig{`
Updated docs, exposed middleware.DefaultSkipper Signed-off-by: Vishal Rana <vr@labstack.com> 2017-01-28 21:43:56 +02:00			`Skipper: DefaultSkipper,`
fixed ##743 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-11-22 00:42:13 +02:00			`AllowOrigins: []string{"*"},`
Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 17:16:58 +02:00			`AllowMethods: []string{http.MethodGet, http.MethodHead, http.MethodPut, http.MethodPatch, http.MethodPost, http.MethodDelete},`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`}`
			`)`

Updated README.md with CORS middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:57:57 +02:00			`// CORS returns a Cross-Origin Resource Sharing (CORS) middleware.`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			`// See: https://developer.mozilla.org/en/docs/Web/HTTP/Access_control_CORS`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`func CORS() echo.MiddlewareFunc {`
API changes from to with Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 06:20:50 +02:00			`return CORSWithConfig(DefaultCORSConfig)`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`}`

Options for redirect middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-01 05:10:14 +02:00			`// CORSWithConfig returns a CORS middleware with config.`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			// See: `CORS()`.
API changes from to with Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 06:20:50 +02:00			`func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`// Defaults`
Ability to skip a middleware via callback Signed-off-by: Vishal Rana <vr@labstack.com> 2016-07-27 18:34:44 +02:00			`if config.Skipper == nil {`
			`config.Skipper = DefaultCORSConfig.Skipper`
			`}`
fixed ##743 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-11-22 00:42:13 +02:00			`if len(config.AllowOrigins) == 0 {`
			`config.AllowOrigins = DefaultCORSConfig.AllowOrigins`
			`}`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`if len(config.AllowMethods) == 0 {`
			`config.AllowMethods = DefaultCORSConfig.AllowMethods`
			`}`
fixed #712 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-11-13 06:24:53 +02:00
cors allow regex pattern enable cors to use regex pattern for allowed origins implementation is similar to another popular cors middleware: https://github.com/astaxie/beego/blob/master/plugins/cors/cors.go#L196-L201 2020-08-18 03:39:54 +02:00			`allowOriginPatterns := []string{}`
			`for _, origin := range config.AllowOrigins {`
			`pattern := regexp.QuoteMeta(origin)`
			`pattern = strings.Replace(pattern, "\\", ".", -1)`
			`pattern = strings.Replace(pattern, "\\?", ".", -1)`
			`pattern = "^" + pattern + "$"`
			`allowOriginPatterns = append(allowOriginPatterns, pattern)`
			`}`

Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`allowMethods := strings.Join(config.AllowMethods, ",")`
			`allowHeaders := strings.Join(config.AllowHeaders, ",")`
			`exposeHeaders := strings.Join(config.ExposeHeaders, ",")`
			`maxAge := strconv.Itoa(config.MaxAge)`

			`return func(next echo.HandlerFunc) echo.HandlerFunc {`
			`return func(c echo.Context) error {`
Ability to skip a middleware via callback Signed-off-by: Vishal Rana <vr@labstack.com> 2016-07-27 18:34:44 +02:00			`if config.Skipper(c) {`
			`return next(c)`
			`}`

Refactored variable names Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-24 19:21:23 +02:00			`req := c.Request()`
Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00			`res := c.Response()`
fixed #712 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-11-13 06:24:53 +02:00			`origin := req.Header.Get(echo.HeaderOrigin)`
fixed ##743 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-11-22 00:42:13 +02:00			`allowOrigin := ""`
fixed #712 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-11-13 06:24:53 +02:00
Fix incorrect CORS headers - Fix empty Access-Control-Allow-Origin - Set CORS headers only if request Origin is existing and allowed - Increase middleware test coverage 2020-11-06 02:15:40 +02:00			`preflight := req.Method == http.MethodOptions`
			`res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)`

			`// No Origin provided`
			`if origin == "" {`
			`if !preflight {`
			`return next(c)`
			`}`
			`return c.NoContent(http.StatusNoContent)`
			`}`

Addressed PR feedback 2020-11-16 05:53:49 +02:00			`if config.AllowOriginFunc != nil {`
			`allowed, err := config.AllowOriginFunc(origin)`
			`if err != nil {`
			`return err`
			`}`
			`if allowed {`
			`allowOrigin = origin`
			`}`
			`} else {`
CORS: add an optional custom function to validate the origin 2020-10-09 11:07:29 +02:00			`// Check allowed origins`
			`for _, o := range config.AllowOrigins {`
			`if o == "*" && config.AllowCredentials {`
			`allowOrigin = origin`
			`break`
cors allow regex pattern enable cors to use regex pattern for allowed origins implementation is similar to another popular cors middleware: https://github.com/astaxie/beego/blob/master/plugins/cors/cors.go#L196-L201 2020-08-18 03:39:54 +02:00			`}`
CORS: add an optional custom function to validate the origin 2020-10-09 11:07:29 +02:00			`if o == "*" \|\| o == origin {`
			`allowOrigin = o`
cors allow regex pattern enable cors to use regex pattern for allowed origins implementation is similar to another popular cors middleware: https://github.com/astaxie/beego/blob/master/plugins/cors/cors.go#L196-L201 2020-08-18 03:39:54 +02:00			`break`
			`}`
CORS: add an optional custom function to validate the origin 2020-10-09 11:07:29 +02:00			`if matchSubdomain(origin, o) {`
cors allow regex pattern enable cors to use regex pattern for allowed origins implementation is similar to another popular cors middleware: https://github.com/astaxie/beego/blob/master/plugins/cors/cors.go#L196-L201 2020-08-18 03:39:54 +02:00			`allowOrigin = origin`
			`break`
			`}`
			`}`
CORS: add an optional custom function to validate the origin 2020-10-09 11:07:29 +02:00
			`// Check allowed origin patterns`
			`for _, re := range allowOriginPatterns {`
			`if allowOrigin == "" {`
			`didx := strings.Index(origin, "://")`
			`if didx == -1 {`
			`continue`
			`}`
			`domAuth := origin[didx+3:]`
			`// to avoid regex cost by invalid long domain`
			`if len(domAuth) > 253 {`
			`break`
			`}`

			`if match, _ := regexp.MatchString(re, origin); match {`
			`allowOrigin = origin`
			`break`
			`}`
			`}`
			`}`
cors allow regex pattern enable cors to use regex pattern for allowed origins implementation is similar to another popular cors middleware: https://github.com/astaxie/beego/blob/master/plugins/cors/cors.go#L196-L201 2020-08-18 03:39:54 +02:00			`}`

Fix incorrect CORS headers - Fix empty Access-Control-Allow-Origin - Set CORS headers only if request Origin is existing and allowed - Increase middleware test coverage 2020-11-06 02:15:40 +02:00			`// Origin not allowed`
			`if allowOrigin == "" {`
			`if !preflight {`
			`return next(c)`
			`}`
			`return c.NoContent(http.StatusNoContent)`
			`}`

Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`// Simple request`
Fix incorrect CORS headers - Fix empty Access-Control-Allow-Origin - Set CORS headers only if request Origin is existing and allowed - Increase middleware test coverage 2020-11-06 02:15:40 +02:00			`if !preflight {`
fixed ##743 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-11-22 00:42:13 +02:00			`res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowOrigin)`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`if config.AllowCredentials {`
Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00			`res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`}`
			`if exposeHeaders != "" {`
Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00			`res.Header().Set(echo.HeaderAccessControlExposeHeaders, exposeHeaders)`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`}`
			`return next(c)`
			`}`

			`// Preflight request`
Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00			`res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestMethod)`
			`res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestHeaders)`
fixed ##743 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-11-22 00:42:13 +02:00			`res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowOrigin)`
Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00			`res.Header().Set(echo.HeaderAccessControlAllowMethods, allowMethods)`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`if config.AllowCredentials {`
Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00			`res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`}`
			`if allowHeaders != "" {`
Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00			`res.Header().Set(echo.HeaderAccessControlAllowHeaders, allowHeaders)`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`} else {`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`h := req.Header.Get(echo.HeaderAccessControlRequestHeaders)`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`if h != "" {`
Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00			`res.Header().Set(echo.HeaderAccessControlAllowHeaders, h)`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`}`
			`}`
			`if config.MaxAge > 0 {`
Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00			`res.Header().Set(echo.HeaderAccessControlMaxAge, maxAge)`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`}`
			`return c.NoContent(http.StatusNoContent)`
			`}`
			`}`
			`}`