config.go 2.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134
  1. package cors
  2. import (
  3. "net/http"
  4. "strings"
  5. "github.com/gin-gonic/gin"
  6. )
  7. type cors struct {
  8. allowAllOrigins bool
  9. allowCredentials bool
  10. allowOriginFunc func(string) bool
  11. allowOrigins []string
  12. exposeHeaders []string
  13. normalHeaders http.Header
  14. preflightHeaders http.Header
  15. wildcardOrigins [][]string
  16. }
  17. var (
  18. DefaultSchemas = []string{
  19. "http://",
  20. "https://",
  21. }
  22. ExtensionSchemas = []string{
  23. "chrome-extension://",
  24. "safari-extension://",
  25. "moz-extension://",
  26. "ms-browser-extension://",
  27. }
  28. FileSchemas = []string{
  29. "file://",
  30. }
  31. WebSocketSchemas = []string{
  32. "ws://",
  33. "wss://",
  34. }
  35. )
  36. func newCors(config Config) *cors {
  37. if err := config.Validate(); err != nil {
  38. panic(err.Error())
  39. }
  40. return &cors{
  41. allowOriginFunc: config.AllowOriginFunc,
  42. allowAllOrigins: config.AllowAllOrigins,
  43. allowCredentials: config.AllowCredentials,
  44. allowOrigins: normalize(config.AllowOrigins),
  45. normalHeaders: generateNormalHeaders(config),
  46. preflightHeaders: generatePreflightHeaders(config),
  47. wildcardOrigins: config.parseWildcardRules(),
  48. }
  49. }
  50. func (cors *cors) applyCors(c *gin.Context) {
  51. origin := c.Request.Header.Get("Origin")
  52. if len(origin) == 0 {
  53. // request is not a CORS request
  54. return
  55. }
  56. host := c.Request.Header.Get("Host")
  57. if origin == "http://"+host || origin == "https://"+host {
  58. // request is not a CORS request but have origin header.
  59. // for example, use fetch api
  60. return
  61. }
  62. if !cors.validateOrigin(origin) {
  63. c.AbortWithStatus(http.StatusForbidden)
  64. return
  65. }
  66. if c.Request.Method == "OPTIONS" {
  67. cors.handlePreflight(c)
  68. defer c.AbortWithStatus(http.StatusNoContent) // Using 204 is better than 200 when the request status is OPTIONS
  69. } else {
  70. cors.handleNormal(c)
  71. }
  72. if !cors.allowAllOrigins {
  73. c.Header("Access-Control-Allow-Origin", origin)
  74. }
  75. }
  76. func (cors *cors) validateWildcardOrigin(origin string) bool {
  77. for _, w := range cors.wildcardOrigins {
  78. if w[0] == "*" && strings.HasSuffix(origin, w[1]) {
  79. return true
  80. }
  81. if w[1] == "*" && strings.HasPrefix(origin, w[0]) {
  82. return true
  83. }
  84. if strings.HasPrefix(origin, w[0]) && strings.HasSuffix(origin, w[1]) {
  85. return true
  86. }
  87. }
  88. return false
  89. }
  90. func (cors *cors) validateOrigin(origin string) bool {
  91. if cors.allowAllOrigins {
  92. return true
  93. }
  94. for _, value := range cors.allowOrigins {
  95. if value == origin {
  96. return true
  97. }
  98. }
  99. if len(cors.wildcardOrigins) > 0 && cors.validateWildcardOrigin(origin) {
  100. return true
  101. }
  102. if cors.allowOriginFunc != nil {
  103. return cors.allowOriginFunc(origin)
  104. }
  105. return false
  106. }
  107. func (cors *cors) handlePreflight(c *gin.Context) {
  108. header := c.Writer.Header()
  109. for key, value := range cors.preflightHeaders {
  110. header[key] = value
  111. }
  112. }
  113. func (cors *cors) handleNormal(c *gin.Context) {
  114. header := c.Writer.Header()
  115. for key, value := range cors.normalHeaders {
  116. header[key] = value
  117. }
  118. }