fileupload: add CORS header fields
This commit is contained in:
parent
2a78536eb9
commit
6b89b99784
|
@ -162,6 +162,7 @@ func main() {
|
|||
Uploader: cfg.FileUploader,
|
||||
DB: db,
|
||||
Auth: cfg.Auth,
|
||||
HTTPOrigins: cfg.HTTPOrigins,
|
||||
}
|
||||
h.ServeHTTP(w, r)
|
||||
})
|
||||
|
|
|
@ -7,6 +7,7 @@ import (
|
|||
"io"
|
||||
"mime"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"path"
|
||||
"strings"
|
||||
"time"
|
||||
|
@ -56,11 +57,52 @@ type Handler struct {
|
|||
Uploader Uploader
|
||||
Auth auth.Authenticator
|
||||
DB database.Database
|
||||
HTTPOrigins []string
|
||||
}
|
||||
|
||||
func (h *Handler) checkOrigin(reqOrigin string) bool {
|
||||
for _, origin := range h.HTTPOrigins {
|
||||
match, err := path.Match(origin, reqOrigin)
|
||||
if err != nil {
|
||||
panic(err) // patterns are checked at config load time
|
||||
} else if match {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func (h *Handler) setCORS(resp http.ResponseWriter, req *http.Request) error {
|
||||
resp.Header().Set("Access-Control-Allow-Credentials", "true")
|
||||
resp.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type, Content-Disposition")
|
||||
resp.Header().Set("Access-Control-Expose-Headers", "Location, Content-Disposition")
|
||||
|
||||
reqOrigin := req.Header.Get("Origin")
|
||||
if reqOrigin == "" {
|
||||
return nil
|
||||
}
|
||||
u, err := url.Parse(reqOrigin)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid Origin header field: %v", err)
|
||||
}
|
||||
|
||||
if !strings.EqualFold(u.Host, req.Host) && !h.checkOrigin(reqOrigin) {
|
||||
return fmt.Errorf("unauthorized Origin")
|
||||
}
|
||||
|
||||
resp.Header().Set("Access-Control-Allow-Origin", reqOrigin)
|
||||
resp.Header().Set("Vary", "Origin")
|
||||
return nil
|
||||
}
|
||||
|
||||
func (h *Handler) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
|
||||
resp.Header().Set("Content-Security-Policy", "sandbox; default-src 'none'; script-src 'none';")
|
||||
|
||||
if err := h.setCORS(resp, req); err != nil {
|
||||
http.Error(resp, err.Error(), http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
if h.Uploader == nil {
|
||||
http.NotFound(resp, req)
|
||||
return
|
||||
|
|
Loading…
Reference in a new issue