pax_global_header00006660000000000000000000000064142275202570014520gustar00rootroot0000000000000052 comment=1c9ca72198a8fe1c0cb868d04e16a40b2b3c1237 cors-1.2.1/000077500000000000000000000000001422752025700124675ustar00rootroot00000000000000cors-1.2.1/.github/000077500000000000000000000000001422752025700140275ustar00rootroot00000000000000cors-1.2.1/.github/workflows/000077500000000000000000000000001422752025700160645ustar00rootroot00000000000000cors-1.2.1/.github/workflows/ci.yml000066400000000000000000000013461422752025700172060ustar00rootroot00000000000000on: [push, pull_request] name: Test jobs: test: env: GOPATH: ${{ github.workspace }} GO111MODULE: off defaults: run: working-directory: ${{ env.GOPATH }}/src/github.com/${{ github.repository }} strategy: matrix: go-version: [1.14.x, 1.15.x, 1.16.x] os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: - name: Install Go uses: actions/setup-go@v2 with: go-version: ${{ matrix.go-version }} - name: Checkout code uses: actions/checkout@v2 with: path: ${{ env.GOPATH }}/src/github.com/${{ github.repository }} - name: Test run: | go get -d -t ./... go test -v ./... cors-1.2.1/LICENSE000066400000000000000000000022021422752025700134700ustar00rootroot00000000000000Copyright (c) 2014 Olivier Poitrey Copyright (c) 2016-Present https://github.com/go-chi authors MIT License Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. cors-1.2.1/README.md000066400000000000000000000030771422752025700137550ustar00rootroot00000000000000# CORS net/http middleware [go-chi/cors](https://github.com/go-chi/cors) is a fork of [github.com/rs/cors](https://github.com/rs/cors) that provides a `net/http` compatible middleware for performing preflight CORS checks on the server side. These headers are required for using the browser native [Fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API). This middleware is designed to be used as a top-level middleware on the [chi](https://github.com/go-chi/chi) router. Applying with within a `r.Group()` or using `With()` will not work without routes matching `OPTIONS` added. ## Usage ```go func main() { r := chi.NewRouter() // Basic CORS // for more ideas, see: https://developer.github.com/v3/#cross-origin-resource-sharing r.Use(cors.Handler(cors.Options{ // AllowedOrigins: []string{"https://foo.com"}, // Use this to allow specific origin hosts AllowedOrigins: []string{"https://*", "http://*"}, // AllowOriginFunc: func(r *http.Request, origin string) bool { return true }, AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}, AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"}, ExposedHeaders: []string{"Link"}, AllowCredentials: false, MaxAge: 300, // Maximum value not ignored by any of major browsers })) r.Get("/", func(w http.ResponseWriter, r *http.Request) { w.Write([]byte("welcome")) }) http.ListenAndServe(":3000", r) } ``` ## Credits All credit for the original work of this middleware goes out to [github.com/rs](github.com/rs). cors-1.2.1/_example/000077500000000000000000000000001422752025700142615ustar00rootroot00000000000000cors-1.2.1/_example/main.go000066400000000000000000000045341422752025700155420ustar00rootroot00000000000000// cors example // // ie. // // Unsuccessful Preflight request: // =============================== // $ curl -i http://localhost:3000/ -H "Origin: http://no.com" -H "Access-Control-Request-Method: GET" -X OPTIONS // HTTP/1.1 200 OK // Vary: Origin // Vary: Access-Control-Request-Method // Vary: Access-Control-Request-Headers // Date: Fri, 28 Jul 2017 17:55:47 GMT // Content-Length: 0 // Content-Type: text/plain; charset=utf-8 // // // Successful Preflight request: // ============================= // $ curl -i http://localhost:3000/ -H "Origin: http://example.com" -H "Access-Control-Request-Method: GET" -X OPTIONS // HTTP/1.1 200 OK // Access-Control-Allow-Credentials: true // Access-Control-Allow-Methods: GET // Access-Control-Allow-Origin: http://example.com // Access-Control-Max-Age: 300 // Vary: Origin // Vary: Access-Control-Request-Method // Vary: Access-Control-Request-Headers // Date: Fri, 28 Jul 2017 17:56:44 GMT // Content-Length: 0 // Content-Type: text/plain; charset=utf-8 // // // Content request (after a successful preflight): // =============================================== // $ curl -i http://localhost:3000/ -H "Origin: http://example.com" // HTTP/1.1 200 OK // Access-Control-Allow-Credentials: true // Access-Control-Allow-Origin: http://example.com // Access-Control-Expose-Headers: Link // Vary: Origin // Date: Fri, 28 Jul 2017 17:57:52 GMT // Content-Length: 7 // Content-Type: text/plain; charset=utf-8 // // welcome% // package main import ( "net/http" "github.com/go-chi/chi" "github.com/go-chi/chi/middleware" "github.com/go-chi/cors" ) func main() { r := chi.NewRouter() r.Use(middleware.Logger) // Basic CORS // for more ideas, see: https://developer.github.com/v3/#cross-origin-resource-sharing r.Use(cors.Handler(cors.Options{ AllowOriginFunc: AllowOriginFunc, AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}, AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"}, ExposedHeaders: []string{"Link"}, AllowCredentials: true, MaxAge: 300, // Maximum value not ignored by any of major browsers })) r.Get("/", func(w http.ResponseWriter, r *http.Request) { w.Write([]byte("welcome")) }) http.ListenAndServe(":3000", r) } func AllowOriginFunc(r *http.Request, origin string) bool { if origin == "http://example.com" { return true } return false } cors-1.2.1/cors.go000066400000000000000000000300021422752025700137570ustar00rootroot00000000000000// cors package is net/http handler to handle CORS related requests // as defined by http://www.w3.org/TR/cors/ // // You can configure it by passing an option struct to cors.New: // // c := cors.New(cors.Options{ // AllowedOrigins: []string{"foo.com"}, // AllowedMethods: []string{"GET", "POST", "DELETE"}, // AllowCredentials: true, // }) // // Then insert the handler in the chain: // // handler = c.Handler(handler) // // See Options documentation for more options. // // The resulting handler is a standard net/http handler. package cors import ( "log" "net/http" "os" "strconv" "strings" ) // Options is a configuration container to setup the CORS middleware. type Options struct { // AllowedOrigins is a list of origins a cross-domain request can be executed from. // If the special "*" value is present in the list, all origins will be allowed. // An origin may contain a wildcard (*) to replace 0 or more characters // (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penalty. // Only one wildcard can be used per origin. // Default value is ["*"] AllowedOrigins []string // AllowOriginFunc is a custom function to validate the origin. It takes the origin // as argument and returns true if allowed or false otherwise. If this option is // set, the content of AllowedOrigins is ignored. AllowOriginFunc func(r *http.Request, origin string) bool // AllowedMethods is a list of methods the client is allowed to use with // cross-domain requests. Default value is simple methods (HEAD, GET and POST). AllowedMethods []string // AllowedHeaders is list of non simple headers the client is allowed to use with // cross-domain requests. // If the special "*" value is present in the list, all headers will be allowed. // Default value is [] but "Origin" is always appended to the list. AllowedHeaders []string // ExposedHeaders indicates which headers are safe to expose to the API of a CORS // API specification ExposedHeaders []string // AllowCredentials indicates whether the request can include user credentials like // cookies, HTTP authentication or client side SSL certificates. AllowCredentials bool // MaxAge indicates how long (in seconds) the results of a preflight request // can be cached MaxAge int // OptionsPassthrough instructs preflight to let other potential next handlers to // process the OPTIONS method. Turn this on if your application handles OPTIONS. OptionsPassthrough bool // Debugging flag adds additional output to debug server side CORS issues Debug bool } // Logger generic interface for logger type Logger interface { Printf(string, ...interface{}) } // Cors http handler type Cors struct { // Debug logger Log Logger // Normalized list of plain allowed origins allowedOrigins []string // List of allowed origins containing wildcards allowedWOrigins []wildcard // Optional origin validator function allowOriginFunc func(r *http.Request, origin string) bool // Normalized list of allowed headers allowedHeaders []string // Normalized list of allowed methods allowedMethods []string // Normalized list of exposed headers exposedHeaders []string maxAge int // Set to true when allowed origins contains a "*" allowedOriginsAll bool // Set to true when allowed headers contains a "*" allowedHeadersAll bool allowCredentials bool optionPassthrough bool } // New creates a new Cors handler with the provided options. func New(options Options) *Cors { c := &Cors{ exposedHeaders: convert(options.ExposedHeaders, http.CanonicalHeaderKey), allowOriginFunc: options.AllowOriginFunc, allowCredentials: options.AllowCredentials, maxAge: options.MaxAge, optionPassthrough: options.OptionsPassthrough, } if options.Debug && c.Log == nil { c.Log = log.New(os.Stdout, "[cors] ", log.LstdFlags) } // Normalize options // Note: for origins and methods matching, the spec requires a case-sensitive matching. // As it may error prone, we chose to ignore the spec here. // Allowed Origins if len(options.AllowedOrigins) == 0 { if options.AllowOriginFunc == nil { // Default is all origins c.allowedOriginsAll = true } } else { c.allowedOrigins = []string{} c.allowedWOrigins = []wildcard{} for _, origin := range options.AllowedOrigins { // Normalize origin = strings.ToLower(origin) if origin == "*" { // If "*" is present in the list, turn the whole list into a match all c.allowedOriginsAll = true c.allowedOrigins = nil c.allowedWOrigins = nil break } else if i := strings.IndexByte(origin, '*'); i >= 0 { // Split the origin in two: start and end string without the * w := wildcard{origin[0:i], origin[i+1:]} c.allowedWOrigins = append(c.allowedWOrigins, w) } else { c.allowedOrigins = append(c.allowedOrigins, origin) } } } // Allowed Headers if len(options.AllowedHeaders) == 0 { // Use sensible defaults c.allowedHeaders = []string{"Origin", "Accept", "Content-Type"} } else { // Origin is always appended as some browsers will always request for this header at preflight c.allowedHeaders = convert(append(options.AllowedHeaders, "Origin"), http.CanonicalHeaderKey) for _, h := range options.AllowedHeaders { if h == "*" { c.allowedHeadersAll = true c.allowedHeaders = nil break } } } // Allowed Methods if len(options.AllowedMethods) == 0 { // Default is spec's "simple" methods c.allowedMethods = []string{http.MethodGet, http.MethodPost, http.MethodHead} } else { c.allowedMethods = convert(options.AllowedMethods, strings.ToUpper) } return c } // Handler creates a new Cors handler with passed options. func Handler(options Options) func(next http.Handler) http.Handler { c := New(options) return c.Handler } // AllowAll create a new Cors handler with permissive configuration allowing all // origins with all standard methods with any header and credentials. func AllowAll() *Cors { return New(Options{ AllowedOrigins: []string{"*"}, AllowedMethods: []string{ http.MethodHead, http.MethodGet, http.MethodPost, http.MethodPut, http.MethodPatch, http.MethodDelete, }, AllowedHeaders: []string{"*"}, AllowCredentials: false, }) } // Handler apply the CORS specification on the request, and add relevant CORS headers // as necessary. func (c *Cors) Handler(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.Method == http.MethodOptions && r.Header.Get("Access-Control-Request-Method") != "" { c.logf("Handler: Preflight request") c.handlePreflight(w, r) // Preflight requests are standalone and should stop the chain as some other // middleware may not handle OPTIONS requests correctly. One typical example // is authentication middleware ; OPTIONS requests won't carry authentication // headers (see #1) if c.optionPassthrough { next.ServeHTTP(w, r) } else { w.WriteHeader(http.StatusOK) } } else { c.logf("Handler: Actual request") c.handleActualRequest(w, r) next.ServeHTTP(w, r) } }) } // handlePreflight handles pre-flight CORS requests func (c *Cors) handlePreflight(w http.ResponseWriter, r *http.Request) { headers := w.Header() origin := r.Header.Get("Origin") if r.Method != http.MethodOptions { c.logf("Preflight aborted: %s!=OPTIONS", r.Method) return } // Always set Vary headers // see https://github.com/rs/cors/issues/10, // https://github.com/rs/cors/commit/dbdca4d95feaa7511a46e6f1efb3b3aa505bc43f#commitcomment-12352001 headers.Add("Vary", "Origin") headers.Add("Vary", "Access-Control-Request-Method") headers.Add("Vary", "Access-Control-Request-Headers") if origin == "" { c.logf("Preflight aborted: empty origin") return } if !c.isOriginAllowed(r, origin) { c.logf("Preflight aborted: origin '%s' not allowed", origin) return } reqMethod := r.Header.Get("Access-Control-Request-Method") if !c.isMethodAllowed(reqMethod) { c.logf("Preflight aborted: method '%s' not allowed", reqMethod) return } reqHeaders := parseHeaderList(r.Header.Get("Access-Control-Request-Headers")) if !c.areHeadersAllowed(reqHeaders) { c.logf("Preflight aborted: headers '%v' not allowed", reqHeaders) return } if c.allowedOriginsAll { headers.Set("Access-Control-Allow-Origin", "*") } else { headers.Set("Access-Control-Allow-Origin", origin) } // Spec says: Since the list of methods can be unbounded, simply returning the method indicated // by Access-Control-Request-Method (if supported) can be enough headers.Set("Access-Control-Allow-Methods", strings.ToUpper(reqMethod)) if len(reqHeaders) > 0 { // Spec says: Since the list of headers can be unbounded, simply returning supported headers // from Access-Control-Request-Headers can be enough headers.Set("Access-Control-Allow-Headers", strings.Join(reqHeaders, ", ")) } if c.allowCredentials { headers.Set("Access-Control-Allow-Credentials", "true") } if c.maxAge > 0 { headers.Set("Access-Control-Max-Age", strconv.Itoa(c.maxAge)) } c.logf("Preflight response headers: %v", headers) } // handleActualRequest handles simple cross-origin requests, actual request or redirects func (c *Cors) handleActualRequest(w http.ResponseWriter, r *http.Request) { headers := w.Header() origin := r.Header.Get("Origin") // Always set Vary, see https://github.com/rs/cors/issues/10 headers.Add("Vary", "Origin") if origin == "" { c.logf("Actual request no headers added: missing origin") return } if !c.isOriginAllowed(r, origin) { c.logf("Actual request no headers added: origin '%s' not allowed", origin) return } // Note that spec does define a way to specifically disallow a simple method like GET or // POST. Access-Control-Allow-Methods is only used for pre-flight requests and the // spec doesn't instruct to check the allowed methods for simple cross-origin requests. // We think it's a nice feature to be able to have control on those methods though. if !c.isMethodAllowed(r.Method) { c.logf("Actual request no headers added: method '%s' not allowed", r.Method) return } if c.allowedOriginsAll { headers.Set("Access-Control-Allow-Origin", "*") } else { headers.Set("Access-Control-Allow-Origin", origin) } if len(c.exposedHeaders) > 0 { headers.Set("Access-Control-Expose-Headers", strings.Join(c.exposedHeaders, ", ")) } if c.allowCredentials { headers.Set("Access-Control-Allow-Credentials", "true") } c.logf("Actual response added headers: %v", headers) } // convenience method. checks if a logger is set. func (c *Cors) logf(format string, a ...interface{}) { if c.Log != nil { c.Log.Printf(format, a...) } } // isOriginAllowed checks if a given origin is allowed to perform cross-domain requests // on the endpoint func (c *Cors) isOriginAllowed(r *http.Request, origin string) bool { if c.allowOriginFunc != nil { return c.allowOriginFunc(r, origin) } if c.allowedOriginsAll { return true } origin = strings.ToLower(origin) for _, o := range c.allowedOrigins { if o == origin { return true } } for _, w := range c.allowedWOrigins { if w.match(origin) { return true } } return false } // isMethodAllowed checks if a given method can be used as part of a cross-domain request // on the endpoint func (c *Cors) isMethodAllowed(method string) bool { if len(c.allowedMethods) == 0 { // If no method allowed, always return false, even for preflight request return false } method = strings.ToUpper(method) if method == http.MethodOptions { // Always allow preflight requests return true } for _, m := range c.allowedMethods { if m == method { return true } } return false } // areHeadersAllowed checks if a given list of headers are allowed to used within // a cross-domain request. func (c *Cors) areHeadersAllowed(requestedHeaders []string) bool { if c.allowedHeadersAll || len(requestedHeaders) == 0 { return true } for _, header := range requestedHeaders { header = http.CanonicalHeaderKey(header) found := false for _, h := range c.allowedHeaders { if h == header { found = true break } } if !found { return false } } return true } cors-1.2.1/cors_test.go000066400000000000000000000315441422752025700150320ustar00rootroot00000000000000package cors import ( "net/http" "net/http/httptest" "regexp" "strings" "testing" ) var testHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Write([]byte("bar")) }) var allHeaders = []string{ "Vary", "Access-Control-Allow-Origin", "Access-Control-Allow-Methods", "Access-Control-Allow-Headers", "Access-Control-Allow-Credentials", "Access-Control-Max-Age", "Access-Control-Expose-Headers", } func assertHeaders(t *testing.T, resHeaders http.Header, expHeaders map[string]string) { for _, name := range allHeaders { got := strings.Join(resHeaders[name], ", ") want := expHeaders[name] if got != want { t.Errorf("Response header %q = %q, want %q", name, got, want) } } } func assertResponse(t *testing.T, res *httptest.ResponseRecorder, responseCode int) { if responseCode != res.Code { t.Errorf("assertResponse: expected response code to be %d but got %d. ", responseCode, res.Code) } } func TestSpec(t *testing.T) { cases := []struct { name string options Options method string reqHeaders map[string]string resHeaders map[string]string }{ { "NoConfig", Options{ // Intentionally left blank. }, "GET", map[string]string{}, map[string]string{ "Vary": "Origin", }, }, { "MatchAllOrigin", Options{ AllowedOrigins: []string{"*"}, }, "GET", map[string]string{ "Origin": "http://foobar.com", }, map[string]string{ "Vary": "Origin", "Access-Control-Allow-Origin": "*", }, }, { "MatchAllOriginWithCredentials", Options{ AllowedOrigins: []string{"*"}, AllowCredentials: true, }, "GET", map[string]string{ "Origin": "http://foobar.com", }, map[string]string{ "Vary": "Origin", "Access-Control-Allow-Origin": "*", "Access-Control-Allow-Credentials": "true", }, }, { "AllowedOrigin", Options{ AllowedOrigins: []string{"http://foobar.com"}, }, "GET", map[string]string{ "Origin": "http://foobar.com", }, map[string]string{ "Vary": "Origin", "Access-Control-Allow-Origin": "http://foobar.com", }, }, { "WildcardOrigin", Options{ AllowedOrigins: []string{"http://*.bar.com"}, }, "GET", map[string]string{ "Origin": "http://foo.bar.com", }, map[string]string{ "Vary": "Origin", "Access-Control-Allow-Origin": "http://foo.bar.com", }, }, { "DisallowedOrigin", Options{ AllowedOrigins: []string{"http://foobar.com"}, }, "GET", map[string]string{ "Origin": "http://barbaz.com", }, map[string]string{ "Vary": "Origin", }, }, { "DisallowedWildcardOrigin", Options{ AllowedOrigins: []string{"http://*.bar.com"}, }, "GET", map[string]string{ "Origin": "http://foo.baz.com", }, map[string]string{ "Vary": "Origin", }, }, { "AllowedOriginFuncMatch", Options{ AllowOriginFunc: func(r *http.Request, o string) bool { return regexp.MustCompile("^http://foo").MatchString(o) && r.Header.Get("Authorization") == "secret" }, }, "GET", map[string]string{ "Origin": "http://foobar.com", "Authorization": "secret", }, map[string]string{ "Vary": "Origin", "Access-Control-Allow-Origin": "http://foobar.com", }, }, { "AllowOriginFuncNotMatch", Options{ AllowOriginFunc: func(r *http.Request, o string) bool { return regexp.MustCompile("^http://foo").MatchString(o) && r.Header.Get("Authorization") == "secret" }, }, "GET", map[string]string{ "Origin": "http://foobar.com", "Authorization": "not-secret", }, map[string]string{ "Vary": "Origin", }, }, { "MaxAge", Options{ AllowedOrigins: []string{"http://example.com/"}, AllowedMethods: []string{"GET"}, MaxAge: 10, }, "OPTIONS", map[string]string{ "Origin": "http://example.com/", "Access-Control-Request-Method": "GET", }, map[string]string{ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers", "Access-Control-Allow-Origin": "http://example.com/", "Access-Control-Allow-Methods": "GET", "Access-Control-Max-Age": "10", }, }, { "AllowedMethod", Options{ AllowedOrigins: []string{"http://foobar.com"}, AllowedMethods: []string{"PUT", "DELETE"}, }, "OPTIONS", map[string]string{ "Origin": "http://foobar.com", "Access-Control-Request-Method": "PUT", }, map[string]string{ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers", "Access-Control-Allow-Origin": "http://foobar.com", "Access-Control-Allow-Methods": "PUT", }, }, { "DisallowedMethod", Options{ AllowedOrigins: []string{"http://foobar.com"}, AllowedMethods: []string{"PUT", "DELETE"}, }, "OPTIONS", map[string]string{ "Origin": "http://foobar.com", "Access-Control-Request-Method": "PATCH", }, map[string]string{ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers", }, }, { "AllowedHeaders", Options{ AllowedOrigins: []string{"http://foobar.com"}, AllowedHeaders: []string{"X-Header-1", "x-header-2"}, }, "OPTIONS", map[string]string{ "Origin": "http://foobar.com", "Access-Control-Request-Method": "GET", "Access-Control-Request-Headers": "X-Header-2, X-HEADER-1", }, map[string]string{ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers", "Access-Control-Allow-Origin": "http://foobar.com", "Access-Control-Allow-Methods": "GET", "Access-Control-Allow-Headers": "X-Header-2, X-Header-1", }, }, { "DefaultAllowedHeaders", Options{ AllowedOrigins: []string{"http://foobar.com"}, AllowedHeaders: []string{}, }, "OPTIONS", map[string]string{ "Origin": "http://foobar.com", "Access-Control-Request-Method": "GET", "Access-Control-Request-Headers": "Content-Type", }, map[string]string{ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers", "Access-Control-Allow-Origin": "http://foobar.com", "Access-Control-Allow-Methods": "GET", "Access-Control-Allow-Headers": "Content-Type", }, }, { "AllowedWildcardHeader", Options{ AllowedOrigins: []string{"http://foobar.com"}, AllowedHeaders: []string{"*"}, }, "OPTIONS", map[string]string{ "Origin": "http://foobar.com", "Access-Control-Request-Method": "GET", "Access-Control-Request-Headers": "X-Header-2, X-HEADER-1", }, map[string]string{ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers", "Access-Control-Allow-Origin": "http://foobar.com", "Access-Control-Allow-Methods": "GET", "Access-Control-Allow-Headers": "X-Header-2, X-Header-1", }, }, { "DisallowedHeader", Options{ AllowedOrigins: []string{"http://foobar.com"}, AllowedHeaders: []string{"X-Header-1", "x-header-2"}, }, "OPTIONS", map[string]string{ "Origin": "http://foobar.com", "Access-Control-Request-Method": "GET", "Access-Control-Request-Headers": "X-Header-3, X-Header-1", }, map[string]string{ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers", }, }, { "OriginHeader", Options{ AllowedOrigins: []string{"http://foobar.com"}, }, "OPTIONS", map[string]string{ "Origin": "http://foobar.com", "Access-Control-Request-Method": "GET", "Access-Control-Request-Headers": "origin", }, map[string]string{ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers", "Access-Control-Allow-Origin": "http://foobar.com", "Access-Control-Allow-Methods": "GET", "Access-Control-Allow-Headers": "Origin", }, }, { "ExposedHeader", Options{ AllowedOrigins: []string{"http://foobar.com"}, ExposedHeaders: []string{"X-Header-1", "x-header-2"}, }, "GET", map[string]string{ "Origin": "http://foobar.com", }, map[string]string{ "Vary": "Origin", "Access-Control-Allow-Origin": "http://foobar.com", "Access-Control-Expose-Headers": "X-Header-1, X-Header-2", }, }, { "AllowedCredentials", Options{ AllowedOrigins: []string{"http://foobar.com"}, AllowCredentials: true, }, "OPTIONS", map[string]string{ "Origin": "http://foobar.com", "Access-Control-Request-Method": "GET", }, map[string]string{ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers", "Access-Control-Allow-Origin": "http://foobar.com", "Access-Control-Allow-Methods": "GET", "Access-Control-Allow-Credentials": "true", }, }, { "OptionPassthrough", Options{ OptionsPassthrough: true, }, "OPTIONS", map[string]string{ "Origin": "http://foobar.com", "Access-Control-Request-Method": "GET", }, map[string]string{ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers", "Access-Control-Allow-Origin": "*", "Access-Control-Allow-Methods": "GET", }, }, { "NonPreflightOptions", Options{ AllowedOrigins: []string{"http://foobar.com"}, }, "OPTIONS", map[string]string{ "Origin": "http://foobar.com", }, map[string]string{ "Vary": "Origin", "Access-Control-Allow-Origin": "http://foobar.com", }, }, } for i := range cases { tc := cases[i] t.Run(tc.name, func(t *testing.T) { s := New(tc.options) req, _ := http.NewRequest(tc.method, "http://example.com/foo", nil) for name, value := range tc.reqHeaders { req.Header.Add(name, value) } t.Run("Handler", func(t *testing.T) { res := httptest.NewRecorder() s.Handler(testHandler).ServeHTTP(res, req) assertHeaders(t, res.Header(), tc.resHeaders) }) }) } } func TestDebug(t *testing.T) { s := New(Options{ Debug: true, }) if s.Log == nil { t.Error("Logger not created when debug=true") } } func TestDefault(t *testing.T) { s := New(Options{}) if s.Log != nil { t.Error("c.log should be nil when Default") } if !s.allowedOriginsAll { t.Error("c.allowedOriginsAll should be true when Default") } if s.allowedHeaders == nil { t.Error("c.allowedHeaders should be nil when Default") } if s.allowedMethods == nil { t.Error("c.allowedMethods should be nil when Default") } } func TestHandlePreflightInvalidOriginAbortion(t *testing.T) { s := New(Options{ AllowedOrigins: []string{"http://foo.com"}, }) res := httptest.NewRecorder() req, _ := http.NewRequest("OPTIONS", "http://example.com/foo", nil) req.Header.Add("Origin", "http://example.com/") s.handlePreflight(res, req) assertHeaders(t, res.Header(), map[string]string{ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers", }) } func TestHandlePreflightNoOptionsAbortion(t *testing.T) { s := New(Options{ // Intentionally left blank. }) res := httptest.NewRecorder() req, _ := http.NewRequest("GET", "http://example.com/foo", nil) s.handlePreflight(res, req) assertHeaders(t, res.Header(), map[string]string{}) } func TestHandleActualRequestInvalidOriginAbortion(t *testing.T) { s := New(Options{ AllowedOrigins: []string{"http://foo.com"}, }) res := httptest.NewRecorder() req, _ := http.NewRequest("GET", "http://example.com/foo", nil) req.Header.Add("Origin", "http://example.com/") s.handleActualRequest(res, req) assertHeaders(t, res.Header(), map[string]string{ "Vary": "Origin", }) } func TestHandleActualRequestInvalidMethodAbortion(t *testing.T) { s := New(Options{ AllowedMethods: []string{"POST"}, AllowCredentials: true, }) res := httptest.NewRecorder() req, _ := http.NewRequest("GET", "http://example.com/foo", nil) req.Header.Add("Origin", "http://example.com/") s.handleActualRequest(res, req) assertHeaders(t, res.Header(), map[string]string{ "Vary": "Origin", }) } func TestIsMethodAllowedReturnsFalseWithNoMethods(t *testing.T) { s := New(Options{ // Intentionally left blank. }) s.allowedMethods = []string{} if s.isMethodAllowed("") { t.Error("IsMethodAllowed should return false when c.allowedMethods is nil.") } } func TestIsMethodAllowedReturnsTrueWithOptions(t *testing.T) { s := New(Options{ // Intentionally left blank. }) if !s.isMethodAllowed("OPTIONS") { t.Error("IsMethodAllowed should return true when c.allowedMethods is nil.") } } cors-1.2.1/go.mod000066400000000000000000000000471422752025700135760ustar00rootroot00000000000000module github.com/go-chi/cors go 1.14 cors-1.2.1/utils.go000066400000000000000000000027101422752025700141560ustar00rootroot00000000000000package cors import "strings" const toLower = 'a' - 'A' type converter func(string) string type wildcard struct { prefix string suffix string } func (w wildcard) match(s string) bool { return len(s) >= len(w.prefix+w.suffix) && strings.HasPrefix(s, w.prefix) && strings.HasSuffix(s, w.suffix) } // convert converts a list of string using the passed converter function func convert(s []string, c converter) []string { out := []string{} for _, i := range s { out = append(out, c(i)) } return out } // parseHeaderList tokenize + normalize a string containing a list of headers func parseHeaderList(headerList string) []string { l := len(headerList) h := make([]byte, 0, l) upper := true // Estimate the number headers in order to allocate the right splice size t := 0 for i := 0; i < l; i++ { if headerList[i] == ',' { t++ } } headers := make([]string, 0, t) for i := 0; i < l; i++ { b := headerList[i] if b >= 'a' && b <= 'z' { if upper { h = append(h, b-toLower) } else { h = append(h, b) } } else if b >= 'A' && b <= 'Z' { if !upper { h = append(h, b+toLower) } else { h = append(h, b) } } else if b == '-' || b == '_' || b == '.' || (b >= '0' && b <= '9') { h = append(h, b) } if b == ' ' || b == ',' || i == l-1 { if len(h) > 0 { // Flush the found header headers = append(headers, string(h)) h = h[:0] upper = true } } else { upper = b == '-' } } return headers } cors-1.2.1/utils_test.go000066400000000000000000000037321422752025700152220ustar00rootroot00000000000000package cors import ( "strings" "testing" ) func TestWildcard(t *testing.T) { w := wildcard{"foo", "bar"} if !w.match("foobar") { t.Error("foo*bar should match foobar") } if !w.match("foobazbar") { t.Error("foo*bar should match foobazbar") } if w.match("foobaz") { t.Error("foo*bar should not match foobaz") } w = wildcard{"foo", "oof"} if w.match("foof") { t.Error("foo*oof should not match foof") } } func TestConvert(t *testing.T) { s := convert([]string{"A", "b", "C"}, strings.ToLower) e := []string{"a", "b", "c"} if s[0] != e[0] || s[1] != e[1] || s[2] != e[2] { t.Errorf("%v != %v", s, e) } } func TestParseHeaderList(t *testing.T) { h := parseHeaderList("header, second-header, THIRD-HEADER, Numb3r3d-H34d3r, Header_with_underscore Header.with.full.stop") e := []string{"Header", "Second-Header", "Third-Header", "Numb3r3d-H34d3r", "Header_with_underscore", "Header.with.full.stop"} if h[0] != e[0] || h[1] != e[1] || h[2] != e[2] || h[3] != e[3] || h[4] != e[4] || h[5] != e[5] { t.Errorf("%v != %v", h, e) } } func TestParseHeaderListEmpty(t *testing.T) { if len(parseHeaderList("")) != 0 { t.Error("should be empty slice") } if len(parseHeaderList(" , ")) != 0 { t.Error("should be empty slice") } } func BenchmarkParseHeaderList(b *testing.B) { b.ReportAllocs() for i := 0; i < b.N; i++ { parseHeaderList("header, second-header, THIRD-HEADER") } } func BenchmarkParseHeaderListSingle(b *testing.B) { b.ReportAllocs() for i := 0; i < b.N; i++ { parseHeaderList("header") } } func BenchmarkParseHeaderListNormalized(b *testing.B) { b.ReportAllocs() for i := 0; i < b.N; i++ { parseHeaderList("Header1, Header2, Third-Header") } } func BenchmarkWildcard(b *testing.B) { w := wildcard{"foo", "bar"} b.Run("match", func(b *testing.B) { b.ReportAllocs() for i := 0; i < b.N; i++ { w.match("foobazbar") } }) b.Run("too short", func(b *testing.B) { b.ReportAllocs() for i := 0; i < b.N; i++ { w.match("fobar") } }) }