7 роки тому · de21d4332c
--- a/config.go
+++ b/config.go
@@ -29,6 +29,13 @@ var (
 
				 		"moz-extension://",
			
 
				 		"ms-browser-extension://",
			
 
				 	}
			
 
				+	FileSchemas = []string{
			
 
				+		"file://",
			
 
				+	}
			
 
				+	WebSocketSchemas = []string{
			
 
				+		"ws://",
			
 
				+		"wss://",
			
 
				+	}
			
 
				 )
			
 
				 
			
 
				 func newCors(config Config) *cors {
			
--- a/cors.go
+++ b/cors.go
@@ -47,6 +47,12 @@ type Config struct {
 
				 
			
 
				 	// Allows usage of popular browser extensions schemas
			
 
				 	AllowBrowserExtensions bool
			
 
				+
			
 
				+	// Allows usage of WebSocket protocol
			
 
				+	AllowWebSockets bool
			
 
				+
			
 
				+	// Allows usage of file:// schema (dangerous!) use it only when you 100% sure it's needed
			
 
				+	AllowFiles bool
			
 
				 }
			
 
				 
			
 
				 // AddAllowMethods is allowed to add custom methods
			
@@ -69,19 +75,22 @@ func (c Config) getAllowedSchemas() []string {
 
				 	if c.AllowBrowserExtensions {
			
 
				 		allowedSchemas = append(allowedSchemas, ExtensionSchemas...)
			
 
				 	}
			
 
				-
			
 
				+	if c.AllowWebSockets {
			
 
				+		allowedSchemas = append(allowedSchemas, WebSocketSchemas...)
			
 
				+	}
			
 
				+	if c.AllowFiles {
			
 
				+		allowedSchemas = append(allowedSchemas, FileSchemas...)
			
 
				+	}
			
 
				 	return allowedSchemas
			
 
				 }
			
 
				 
			
 
				 func (c Config) validateAllowedSchemas(origin string) bool {
			
 
				 	allowedSchemas := c.getAllowedSchemas()
			
 
				-
			
 
				 	for _, schema := range allowedSchemas {
			
 
				 		if strings.HasPrefix(origin, schema) {
			
 
				 			return true
			
 
				 		}
			
 
				 	}
			
 
				-
			
 
				 	return false
			
 
				 }
			
 
				 
			
--- a/cors_test.go
+++ b/cors_test.go
@@ -230,6 +230,8 @@ func TestValidateOrigin(t *testing.T) {
 
				 		AllowOrigins: []string{"https://google.com", "https://github.com"},
			
 
				 	})
			
 
				 	assert.False(t, cors.validateOrigin("chrome-extension://random-extension-id"))
			
 
				+	assert.False(t, cors.validateOrigin("file://some-dangerous-file.js"))
			
 
				+	assert.False(t, cors.validateOrigin("wss://socket-connection"))
			
 
				 
			
 
				 	cors = newCors(Config{
			
 
				 		AllowOrigins:           []string{"chrome-extension://*", "safari-extension://my-extension-*-app", "*.some-domain.com"},
			
@@ -243,6 +245,16 @@ func TestValidateOrigin(t *testing.T) {
 
				 	assert.False(t, cors.validateOrigin("moz-extension://ext-id-we-not-allow"))
			
 
				 	assert.True(t, cors.validateOrigin("http://api.some-domain.com"))
			
 
				 	assert.False(t, cors.validateOrigin("http://api.another-domain.com"))
			
 
				+
			
 
				+	cors = newCors(Config{
			
 
				+		AllowOrigins:    []string{"file://safe-file.js", "wss://some-session-layer-connection"},
			
 
				+		AllowFiles:      true,
			
 
				+		AllowWebSockets: true,
			
 
				+	})
			
 
				+	assert.True(t, cors.validateOrigin("file://safe-file.js"))
			
 
				+	assert.False(t, cors.validateOrigin("file://some-dangerous-file.js"))
			
 
				+	assert.True(t, cors.validateOrigin("wss://some-session-layer-connection"))
			
 
				+	assert.False(t, cors.validateOrigin("ws://not-what-we-expected"))
			
 
				 }
			
 
				 
			
 
				 func TestPassesAllowedOrigins(t *testing.T) {