mirror of
https://github.com/labstack/echo.git
synced 2024-12-22 20:06:21 +02:00
cors middleware: allow sending Access-Control-Max-Age: 0
value with config.MaxAge being negative number. (#2518)
This commit is contained in:
parent
3950c444b7
commit
4bc3e475e3
@ -99,8 +99,9 @@ type (
|
||||
// MaxAge determines the value of the Access-Control-Max-Age response header.
|
||||
// This header indicates how long (in seconds) the results of a preflight
|
||||
// request can be cached.
|
||||
// The header is set only if MaxAge != 0, negative value sends "0" which instructs browsers not to cache that response.
|
||||
//
|
||||
// Optional. Default value 0. The header is set only if MaxAge > 0.
|
||||
// Optional. Default value 0 - meaning header is not sent.
|
||||
//
|
||||
// See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
|
||||
MaxAge int `yaml:"max_age"`
|
||||
@ -159,7 +160,11 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
|
||||
allowMethods := strings.Join(config.AllowMethods, ",")
|
||||
allowHeaders := strings.Join(config.AllowHeaders, ",")
|
||||
exposeHeaders := strings.Join(config.ExposeHeaders, ",")
|
||||
maxAge := strconv.Itoa(config.MaxAge)
|
||||
|
||||
maxAge := "0"
|
||||
if config.MaxAge > 0 {
|
||||
maxAge = strconv.Itoa(config.MaxAge)
|
||||
}
|
||||
|
||||
return func(next echo.HandlerFunc) echo.HandlerFunc {
|
||||
return func(c echo.Context) error {
|
||||
@ -282,7 +287,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
|
||||
res.Header().Set(echo.HeaderAccessControlAllowHeaders, h)
|
||||
}
|
||||
}
|
||||
if config.MaxAge > 0 {
|
||||
if config.MaxAge != 0 {
|
||||
res.Header().Set(echo.HeaderAccessControlMaxAge, maxAge)
|
||||
}
|
||||
return c.NoContent(http.StatusNoContent)
|
||||
|
@ -60,6 +60,59 @@ func TestCORS(t *testing.T) {
|
||||
echo.HeaderAccessControlMaxAge: "3600",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "ok, preflight request when `Access-Control-Max-Age` is set",
|
||||
givenMW: CORSWithConfig(CORSConfig{
|
||||
AllowOrigins: []string{"localhost"},
|
||||
AllowCredentials: true,
|
||||
MaxAge: 1,
|
||||
}),
|
||||
whenMethod: http.MethodOptions,
|
||||
whenHeaders: map[string]string{
|
||||
echo.HeaderOrigin: "localhost",
|
||||
echo.HeaderContentType: echo.MIMEApplicationJSON,
|
||||
},
|
||||
expectHeaders: map[string]string{
|
||||
echo.HeaderAccessControlMaxAge: "1",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "ok, preflight request when `Access-Control-Max-Age` is set to 0 - not to cache response",
|
||||
givenMW: CORSWithConfig(CORSConfig{
|
||||
AllowOrigins: []string{"localhost"},
|
||||
AllowCredentials: true,
|
||||
MaxAge: -1, // forces `Access-Control-Max-Age: 0`
|
||||
}),
|
||||
whenMethod: http.MethodOptions,
|
||||
whenHeaders: map[string]string{
|
||||
echo.HeaderOrigin: "localhost",
|
||||
echo.HeaderContentType: echo.MIMEApplicationJSON,
|
||||
},
|
||||
expectHeaders: map[string]string{
|
||||
echo.HeaderAccessControlMaxAge: "0",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "ok, CORS check are skipped",
|
||||
givenMW: CORSWithConfig(CORSConfig{
|
||||
AllowOrigins: []string{"localhost"},
|
||||
AllowCredentials: true,
|
||||
Skipper: func(c echo.Context) bool {
|
||||
return true
|
||||
},
|
||||
}),
|
||||
whenMethod: http.MethodOptions,
|
||||
whenHeaders: map[string]string{
|
||||
echo.HeaderOrigin: "localhost",
|
||||
echo.HeaderContentType: echo.MIMEApplicationJSON,
|
||||
},
|
||||
notExpectHeaders: map[string]string{
|
||||
echo.HeaderAccessControlAllowOrigin: "localhost",
|
||||
echo.HeaderAccessControlAllowMethods: "GET,HEAD,PUT,PATCH,POST,DELETE",
|
||||
echo.HeaderAccessControlAllowCredentials: "true",
|
||||
echo.HeaderAccessControlMaxAge: "3600",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "ok, preflight request with wildcard `AllowOrigins` and `AllowCredentials` true",
|
||||
givenMW: CORSWithConfig(CORSConfig{
|
||||
|
Loading…
Reference in New Issue
Block a user