Documentation
¶
Overview ¶
Package cors provides a safehttp.Interceptor that handles CORS requests.
Index ¶
- type Interceptor
- func (it *Interceptor) Before(w safehttp.ResponseWriter, r *safehttp.IncomingRequest, ...) safehttp.Result
- func (it *Interceptor) Commit(w safehttp.ResponseHeadersWriter, r *safehttp.IncomingRequest, ...)
- func (*Interceptor) Match(safehttp.InterceptorConfig) bool
- func (it *Interceptor) SetAllowedHeaders(headers ...string)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Interceptor ¶
type Interceptor struct {
// AllowedOrigins determines which origins should be allowed in the
// Access-Control-Allow-Origin header.
AllowedOrigins map[string]bool
// ExposedHeaders determines which headers should be set in the
// Access-Control-Expose-Headers header. This controls which headers are
// accessible by JavaScript in the response.
//
// If ExposedHeaders is nil, then the header is not set, meaning that nothing
// is exposed.
ExposedHeaders []string
// AllowCredentials determines if Access-Control-Allow-Credentials should be
// set to true, which would allow cookies to be attached to requests.
AllowCredentials bool
// MaxAge sets the Access-Control-Max-Age header, indicating how many seconds
// the results of a preflight request can be cached.
//
// MaxAge=0 results in MaxAge: 5, the default used by Chromium according to
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
MaxAge int
// contains filtered or unexported fields
}
Interceptor handles CORS requests based on its settings.
For more info about CORS, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Constraints ¶
The content types "application/x-www-form-urlencoded", "multipart/form-data" and "text/plain" are banned and will result in a 415 Unsupported Media Type response.
Each CORS request must contain the header "X-Cors: 1".
The HEAD request method is disallowed.
All of this is to prevent XSRF.
func Default ¶
func Default(allowedOrigins ...string) *Interceptor
Default creates a CORS Interceptor with default settings. Those defaults are:
- No Exposed Headers
- No Allowed Headers
- AllowCredentials: false
- MaxAge: 5 seconds
func (*Interceptor) Before ¶
func (it *Interceptor) Before(w safehttp.ResponseWriter, r *safehttp.IncomingRequest, _ safehttp.InterceptorConfig) safehttp.Result
Before handles the IncomingRequest according to the settings specified in the Interceptor and sets the appropriate subset of the following headers:
- Access-Control-Allow-Credentials
- Access-Control-Allow-Headers
- Access-Control-Allow-Methods
- Access-Control-Allow-Origin
- Access-Control-Expose-Headers
- Access-Control-Max-Age
- Vary
func (*Interceptor) Commit ¶
func (it *Interceptor) Commit(w safehttp.ResponseHeadersWriter, r *safehttp.IncomingRequest, resp safehttp.Response, cfg safehttp.InterceptorConfig)
Commit is a no-op, required to satisfy the safehttp.Interceptor interface.
func (*Interceptor) Match ¶
func (*Interceptor) Match(safehttp.InterceptorConfig) bool
Match returns false since there are no supported configurations.
func (*Interceptor) SetAllowedHeaders ¶
func (it *Interceptor) SetAllowedHeaders(headers ...string)
SetAllowedHeaders sets the headers allowed in the Access-Control-Allow-Headers header. The headers are first canonicalized using textproto.CanonicalMIMEHeaderKey. The wildcard "*" is not allowed.