Add CORS headers

2024-11-24 08:12:38 +02:00 · 2018-04-26 17:22:31 +06:00 · 2018-04-26 17:22:31 +06:00 · 04871c8b7f
commit 04871c8b7f
parent eb341c3bee
4 changed files with 31 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -151,6 +151,7 @@ $ xxd -g 2 -l 64 -p /dev/random | tr -d '\n'

 imgproxy protects you from so-called image bombs. Here is how you can specify maximum image dimensions and resolution which you consider reasonable:

+* `IMGPROXY_ALLOW_ORIGIN` - when set, enables CORS headers with provided origin. CORS headers are disabled by default.
 * `IMGPROXY_MAX_SRC_DIMENSION` — the maximum dimensions of the source image, in pixels, for both width and height. Images with larger real size will be rejected. Default: `8192`;
 * `IMGPROXY_MAX_SRC_RESOLUTION` — the maximum resolution of the source image, in megapixels. Images with larger real size will be rejected. Default: `16.8`;

--- a/config.go
+++ b/config.go
@ -95,6 +95,8 @@ type config struct {

 	Secret string

+	AllowOrigin string
+
 	LocalFileSystemRoot string

 	ETagEnabled   bool
@ -147,6 +149,8 @@ func init() {

 	strEnvConfig(&conf.Secret, "IMGPROXY_SECRET")

+	strEnvConfig(&conf.AllowOrigin, "IMGPROXY_ALLOW_ORIGIN")
+
 	strEnvConfig(&conf.LocalFileSystemRoot, "IMGPROXY_LOCAL_FILESYSTEM_ROOT")

 	boolEnvConfig(&conf.ETagEnabled, "IMGPROXY_USE_ETAG")
--- a/errors.go
+++ b/errors.go
@ -27,6 +27,7 @@ func newUnexpectedError(err error, skip int) imgproxyError {

 var (
 	invalidSecretErr = newError(403, "Invalid secret", "Forbidden")
+	invalidMethodErr = newError(422, "Invalid request method", "Method doesn't allowed")
 )

 func stacktrace(skip int) string {
--- a/server.go
+++ b/server.go
@ -105,6 +105,13 @@ func logResponse(status int, msg string) {
 	log.Printf("|\033[7;%dm %d \033[0m| %s\n", color, status, msg)
 }

+func writeCORS(rw http.ResponseWriter) {
+	if len(conf.AllowOrigin) > 0 {
+		rw.Header().Set("Access-Control-Allow-Origin", conf.AllowOrigin)
+		rw.Header().Set("Access-Control-Allow-Methods", "GET, OPTIONs")
+	}
+}
+
 func respondWithImage(reqID string, r *http.Request, rw http.ResponseWriter, data []byte, imgURL string, po processingOptions, duration time.Duration) {
 	gzipped := strings.Contains(r.Header.Get("Accept-Encoding"), "gzip") && conf.GZipCompression > 0

@ -136,6 +143,11 @@ func respondWithError(reqID string, rw http.ResponseWriter, err imgproxyError) {
 	rw.Write([]byte(err.PublicMessage))
 }

+func respondWithOptions(reqID string, rw http.ResponseWriter) {
+	logResponse(200, fmt.Sprintf("[%s] Respond with options", reqID))
+	rw.WriteHeader(200)
+}
+
 func checkSecret(s string) bool {
 	if len(conf.Secret) == 0 {
 		return true
@ -154,8 +166,6 @@ func (h *httpHandler) unlock() {
 func (h *httpHandler) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
 	reqID, _ := nanoid.Nanoid()

-	log.Printf("[%s] GET: %s\n", reqID, r.URL.RequestURI())
-
 	defer func() {
 		if r := recover(); r != nil {
 			if err, ok := r.(imgproxyError); ok {
@ -166,6 +176,19 @@ func (h *httpHandler) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
 		}
 	}()

+	log.Printf("[%s] %s: %s\n", reqID, r.Method, r.URL.RequestURI())
+
+	writeCORS(rw)
+
+	if r.Method == http.MethodOptions {
+		respondWithOptions(reqID, rw)
+		return
+	}
+
+	if r.Method != http.MethodGet {
+		panic(invalidMethodErr)
+	}
+
 	if !checkSecret(r.Header.Get("Authorization")) {
 		panic(invalidSecretErr)
 	}