-
Notifications
You must be signed in to change notification settings - Fork 1
/
cors.go
51 lines (42 loc) · 1.41 KB
/
cors.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
package oidcauth
import (
"log"
"net/http"
)
// VerifyOrigin middleware verifies the origin of requests by checking the 'Origin' and 'Referer'
// headers. Requests are blocked if the origin differs from the list of allowed ones provided
// in allowedOrigins, or if neither of those headers is present in the request.
func VerifyOrigin(allowedOrigins []string, next http.Handler, onErr http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
origin := getURLHost(r.Header.Get("Origin"))
referer := getURLHost(r.Header.Get("Referer"))
log.Printf("Origin: %v, Referer: %v", origin, referer)
if origin == "" {
origin = referer
}
if len(allowedOrigins) == 0 {
log.Printf("List of allowed origins is empty, blocking request '%s'!", r.RequestURI)
onErr.ServeHTTP(w, r)
return
}
var allowedOrigin = allowedOrigins[0]
for _, o := range allowedOrigins {
if origin == o {
allowedOrigin = origin
break
}
}
log.Printf("Chosen allow origin: %v", allowedOrigin)
w.Header().Set("Access-Control-Allow-Origin", allowedOrigin)
if isOPTIONS(r) {
return
}
// Allow CORS request without Origin and Referer only for GET requests
if (origin == allowedOrigin) || (origin == "" && isGET(r)) {
next.ServeHTTP(w, r)
return
}
log.Printf("Origin %s is not allowed, blocking request '%s'!", origin, r.RequestURI)
onErr.ServeHTTP(w, r)
})
}