package cors import ( "net/http" ) type Config struct { AllowOrigin string AllowMethods string AllowHeaders string AllowCredentials bool } // CombinedCORSHandler wraps a server and provides CORS headers. func CombinedCORSHandler(h http.Handler, config *Config) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if config != nil { SetHeaders(w, r, config) } if r.Method == "OPTIONS" { return } h.ServeHTTP(w, r) }) } // SetHeaders sets the CORS headers. func SetHeaders(w http.ResponseWriter, _ *http.Request, config *Config) { set := func(w http.ResponseWriter, k, v string) { if v := w.Header().Get(k); len(v) > 0 { return } w.Header().Set(k, v) } // For forward-compatible code, default values may not be provided in the future if config.AllowCredentials { set(w, "Access-Control-Allow-Credentials", "true") } else { set(w, "Access-Control-Allow-Credentials", "false") } if config.AllowOrigin == "" { set(w, "Access-Control-Allow-Origin", "*") } else { set(w, "Access-Control-Allow-Origin", config.AllowOrigin) } if config.AllowMethods == "" { set(w, "Access-Control-Allow-Methods", "POST, PATCH, GET, OPTIONS, PUT, DELETE") } else { set(w, "Access-Control-Allow-Methods", config.AllowMethods) } if config.AllowHeaders == "" { set(w, "Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization") } else { set(w, "Access-Control-Allow-Headers", config.AllowHeaders) } }