Skip to content

Commit

Permalink
feat(middleware/cors): Add support for Access-Control-Allow-Private-N…
Browse files Browse the repository at this point in the history
…etwork (#2908)

* Add support for Access-Control-Allow-Private-Network in CORS middleware

* Access-Control-Allow-Private-Network in CORS middleware documentation update

* Access-Control-Allow-Private-Network in CORS middleware tests

* Fix lint issues

* Fix formatting

* Rename config option, add more unit-tests

* Fix syntax issue

* Fix conditional

* Fix formatting, add more unit-tests

* chore(middleware/cors): Update middleware/cors/cors.go

* chore(middleware/cors): add HeaderAccessControlRequestPrivateNetowkr

* test(middleware/cors): fix CORS headers

* docs(middleware/cors): table order and alignment

---------

Co-authored-by: Juan Calderon-Perez <[email protected]>
Co-authored-by: Juan Calderon-Perez <[email protected]>
Co-authored-by: Jason McNeil <[email protected]>
  • Loading branch information
4 people authored Mar 22, 2024
1 parent 7fa8b2d commit 5e8df0a
Show file tree
Hide file tree
Showing 4 changed files with 260 additions and 137 deletions.
23 changes: 13 additions & 10 deletions docs/api/middleware/cors.md
Original file line number Diff line number Diff line change
Expand Up @@ -110,16 +110,18 @@ panic: [CORS] 'AllowCredentials' is true, but 'AllowOrigins' cannot be set to `"

## Config

| Property | Type | Description | Default |
|:-----------------|:---------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------|
| Next | `func(fiber.Ctx) bool` | Next defines a function to skip this middleware when returned true. | `nil` |
| AllowOriginsFunc | `func(origin string) bool` | `AllowOriginsFunc` is a function that dynamically determines whether to allow a request based on its origin. If this function returns `true`, the 'Access-Control-Allow-Origin' response header will be set to the request's 'origin' header. This function is only used if the request's origin doesn't match any origin in `AllowOrigins`. | `nil` |
| AllowOrigins | `string` | AllowOrigins defines a comma separated list of origins that may access the resource. This supports subdomain matching, so you can use a value like "https://*.example.com" to allow any subdomain of example.com to submit requests. | `"*"` |
| AllowMethods | `string` | AllowMethods defines a list of methods allowed when accessing the resource. This is used in response to a preflight request. | `"GET,POST,HEAD,PUT,DELETE,PATCH"` |
| AllowHeaders | `string` | AllowHeaders defines a list of request headers that can be used when making the actual request. This is in response to a preflight request. | `""` |
| AllowCredentials | `bool` | AllowCredentials indicates whether or not the response to the request can be exposed when the credentials flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note: If true, AllowOrigins cannot be set to a wildcard (`"*"`) to prevent security vulnerabilities. | `false` |
| ExposeHeaders | `string` | ExposeHeaders defines whitelist headers that clients are allowed to access. | `""` |
| MaxAge | `int` | MaxAge indicates how long (in seconds) the results of a preflight request can be cached. If you pass MaxAge 0, the Access-Control-Max-Age header will not be added and the browser will use 5 seconds by default. To disable caching completely, pass MaxAge value negative. It will set the Access-Control-Max-Age header to 0. | `0` |
| Property | Type | Description | Default |
|:---------------------|:----------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------|
| AllowCredentials | `bool` | AllowCredentials indicates whether or not the response to the request can be exposed when the credentials flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note: If true, AllowOrigins cannot be set to a wildcard (`"*"`) to prevent security vulnerabilities. | `false` |
| AllowHeaders | `string` | AllowHeaders defines a list of request headers that can be used when making the actual request. This is in response to a preflight request. | `""` |
| AllowMethods | `string` | AllowMethods defines a list of methods allowed when accessing the resource. This is used in response to a preflight request. | `"GET,POST,HEAD,PUT,DELETE,PATCH"` |
| AllowOrigins | `string` | AllowOrigins defines a comma-separated list of origins that may access the resource. This supports subdomain matching, so you can use a value like "https://*.example.com" to allow any subdomain of example.com to submit requests. | `"*"` |
| AllowOriginsFunc | `func(origin string) bool` | `AllowOriginsFunc` is a function that dynamically determines whether to allow a request based on its origin. If this function returns `true`, the 'Access-Control-Allow-Origin' response header will be set to the request's 'origin' header. This function is only used if the request's origin doesn't match any origin in `AllowOrigins`. | `nil` |
| AllowPrivateNetwork | `bool` | Indicates whether the `Access-Control-Allow-Private-Network` response header should be set to `true`, allowing requests from private networks. This aligns with modern security practices for web applications interacting with private networks. | `false` |
| ExposeHeaders | `string` | ExposeHeaders defines whitelist headers that clients are allowed to access. | `""` |
| MaxAge | `int` | MaxAge indicates how long (in seconds) the results of a preflight request can be cached. If you pass MaxAge 0, the Access-Control-Max-Age header will not be added and the browser will use 5 seconds by default. To disable caching completely, pass MaxAge value negative. It will set the Access-Control-Max-Age header to 0. | `0` |
| Next | `func(fiber.Ctx) bool` | Next defines a function to skip this middleware when returned true. | `nil` |


## Default Config

Expand All @@ -140,6 +142,7 @@ var ConfigDefault = Config{
AllowCredentials: false,
ExposeHeaders: "",
MaxAge: 0,
AllowPrivateNetwork: false,
}
```

Expand Down
Loading

1 comment on commit 5e8df0a

@ReneWerner87
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 2.

Benchmark suite Current: 5e8df0a Previous: 1607d87 Ratio
Benchmark_Etag 199.7 ns/op 0 B/op 0 allocs/op 97.85 ns/op 0 B/op 0 allocs/op 2.04
Benchmark_Middleware_Favicon 211.8 ns/op 12 B/op 4 allocs/op 88.92 ns/op 3 B/op 1 allocs/op 2.38

This comment was automatically generated by workflow using github-action-benchmark.

Please sign in to comment.