mirror of
https://github.com/labstack/echo.git
synced 2024-12-22 20:06:21 +02:00
cors: not checking for origin header
Signed-off-by: Vishal Rana <vr@labstack.com>
This commit is contained in:
parent
e08070379a
commit
4c78b7122b
@ -75,6 +75,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
|
||||
if len(config.AllowMethods) == 0 {
|
||||
config.AllowMethods = DefaultCORSConfig.AllowMethods
|
||||
}
|
||||
allowOrigins := strings.Join(config.AllowOrigins, ",")
|
||||
allowMethods := strings.Join(config.AllowMethods, ",")
|
||||
allowHeaders := strings.Join(config.AllowHeaders, ",")
|
||||
exposeHeaders := strings.Join(config.ExposeHeaders, ",")
|
||||
@ -88,25 +89,11 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
|
||||
|
||||
req := c.Request()
|
||||
res := c.Response()
|
||||
origin := req.Header().Get(echo.HeaderOrigin)
|
||||
originSet := req.Header().Contains(echo.HeaderOrigin) // Issue #517
|
||||
|
||||
// Check allowed origins
|
||||
allowedOrigin := ""
|
||||
for _, o := range config.AllowOrigins {
|
||||
if o == "*" || o == origin {
|
||||
allowedOrigin = o
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
// Simple request
|
||||
if req.Method() != echo.OPTIONS {
|
||||
res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)
|
||||
if !originSet || allowedOrigin == "" {
|
||||
return next(c)
|
||||
}
|
||||
res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigin)
|
||||
res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowOrigins)
|
||||
if config.AllowCredentials {
|
||||
res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")
|
||||
}
|
||||
@ -120,10 +107,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
|
||||
res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)
|
||||
res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestMethod)
|
||||
res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestHeaders)
|
||||
if !originSet || allowedOrigin == "" {
|
||||
return next(c)
|
||||
}
|
||||
res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigin)
|
||||
res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowOrigins)
|
||||
res.Header().Set(echo.HeaderAccessControlAllowMethods, allowMethods)
|
||||
if config.AllowCredentials {
|
||||
res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")
|
||||
|
@ -21,18 +21,6 @@ func TestCORS(t *testing.T) {
|
||||
return c.String(http.StatusOK, "test")
|
||||
})
|
||||
|
||||
// No origin header
|
||||
h(c)
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
||||
|
||||
// Empty origin header
|
||||
req = test.NewRequest(echo.GET, "/", nil)
|
||||
rec = test.NewResponseRecorder()
|
||||
c = e.NewContext(req, rec)
|
||||
req.Header().Set(echo.HeaderOrigin, "")
|
||||
h(c)
|
||||
assert.Equal(t, "*", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
||||
|
||||
// Wildcard origin
|
||||
req = test.NewRequest(echo.GET, "/", nil)
|
||||
rec = test.NewResponseRecorder()
|
||||
|
Loading…
Reference in New Issue
Block a user