Documentation ¶
Overview ¶
Package cors provides a safehttp.Interceptor that handles CORS requests.
Index ¶
- type Interceptor
- func (it *Interceptor) Before(w safehttp.ResponseWriter, r *safehttp.IncomingRequest, ...) safehttp.Result
- func (it *Interceptor) Commit(w safehttp.ResponseHeadersWriter, r *safehttp.IncomingRequest, ...)
- func (*Interceptor) Match(safehttp.InterceptorConfig) bool
- func (it *Interceptor) SetAllowedHeaders(headers ...string)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Interceptor ¶
type Interceptor struct { // AllowedOrigins determines which origins should be allowed in the // Access-Control-Allow-Origin header. AllowedOrigins map[string]bool // ExposedHeaders determines which headers should be set in the // Access-Control-Expose-Headers header. This controls which headers are // accessible by JavaScript in the response. // // If ExposedHeaders is nil, then the header is not set, meaning that nothing // is exposed. ExposedHeaders []string // AllowCredentials determines if Access-Control-Allow-Credentials should be // set to true, which would allow cookies to be attached to requests. AllowCredentials bool // MaxAge sets the Access-Control-Max-Age header, indicating how many seconds // the results of a preflight request can be cached. // // MaxAge=0 results in MaxAge: 5, the default used by Chromium according to // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age MaxAge int // contains filtered or unexported fields }
Interceptor handles CORS requests based on its settings.
For more info about CORS, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Constraints ¶
The content types "application/x-www-form-urlencoded", "multipart/form-data" and "text/plain" are banned and will result in a 415 Unsupported Media Type response.
Each CORS request must contain the header "X-Cors: 1".
The HEAD request method is disallowed.
All of this is to prevent XSRF.
func Default ¶
func Default(allowedOrigins ...string) *Interceptor
Default creates a CORS Interceptor with default settings. Those defaults are:
- No Exposed Headers
- No Allowed Headers
- AllowCredentials: false
- MaxAge: 5 seconds
func (*Interceptor) Before ¶
func (it *Interceptor) Before(w safehttp.ResponseWriter, r *safehttp.IncomingRequest, _ safehttp.InterceptorConfig) safehttp.Result
Before handles the IncomingRequest according to the settings specified in the Interceptor and sets the appropriate subset of the following headers:
- Access-Control-Allow-Credentials
- Access-Control-Allow-Headers
- Access-Control-Allow-Methods
- Access-Control-Allow-Origin
- Access-Control-Expose-Headers
- Access-Control-Max-Age
- Vary
func (*Interceptor) Commit ¶
func (it *Interceptor) Commit(w safehttp.ResponseHeadersWriter, r *safehttp.IncomingRequest, resp safehttp.Response, cfg safehttp.InterceptorConfig)
Commit is a no-op, required to satisfy the safehttp.Interceptor interface.
func (*Interceptor) Match ¶
func (*Interceptor) Match(safehttp.InterceptorConfig) bool
Match returns false since there are no supported configurations.
func (*Interceptor) SetAllowedHeaders ¶
func (it *Interceptor) SetAllowedHeaders(headers ...string)
SetAllowedHeaders sets the headers allowed in the Access-Control-Allow-Headers header. The headers are first canonicalized using textproto.CanonicalMIMEHeaderKey. The wildcard "*" is not allowed.