|
3 | 3 | // |
4 | 4 | // You can configure it by passing an option struct to cors.New: |
5 | 5 | // |
6 | | -// c := cors.New(cors.Options{ |
7 | | -// AllowedOrigins: []string{"foo.com"}, |
8 | | -// AllowedMethods: []string{"GET", "POST", "DELETE"}, |
9 | | -// AllowCredentials: true, |
10 | | -// }) |
| 6 | +// c := cors.New(cors.Options{ |
| 7 | +// AllowedOrigins: []string{"foo.com"}, |
| 8 | +// AllowedMethods: []string{"GET", "POST", "DELETE"}, |
| 9 | +// AllowCredentials: true, |
| 10 | +// }) |
11 | 11 | // |
12 | 12 | // Then insert the handler in the chain: |
13 | 13 | // |
14 | | -// handler = c.Handler(handler) |
| 14 | +// handler = c.Handler(handler) |
15 | 15 | // |
16 | 16 | // See Options documentation for more options. |
17 | 17 | // |
@@ -210,7 +210,10 @@ func AllowAll() *Cors { |
210 | 210 | // as necessary. |
211 | 211 | func (c *Cors) Handler(next http.Handler) http.Handler { |
212 | 212 | return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
213 | | - if r.Method == http.MethodOptions && r.Header.Get("Access-Control-Request-Method") != "" { |
| 213 | + // null or empty Origin header value is acceptable and it is considered having that header |
| 214 | + _, hasOriginHeader := r.Header["Origin"] |
| 215 | + |
| 216 | + if r.Method == http.MethodOptions && r.Header.Get("Access-Control-Request-Method") != "" && hasOriginHeader { |
214 | 217 | c.logf("Handler: Preflight request") |
215 | 218 | c.handlePreflight(w, r) |
216 | 219 | // Preflight requests are standalone and should stop the chain as some other |
@@ -246,10 +249,6 @@ func (c *Cors) handlePreflight(w http.ResponseWriter, r *http.Request) { |
246 | 249 | headers.Add("Vary", "Access-Control-Request-Method") |
247 | 250 | headers.Add("Vary", "Access-Control-Request-Headers") |
248 | 251 |
|
249 | | - if origin == "" { |
250 | | - c.logf("Preflight aborted: empty origin") |
251 | | - return |
252 | | - } |
253 | 252 | if !c.isOriginAllowed(r, origin) { |
254 | 253 | c.logf("Preflight aborted: origin '%s' not allowed", origin) |
255 | 254 | return |
@@ -291,14 +290,17 @@ func (c *Cors) handlePreflight(w http.ResponseWriter, r *http.Request) { |
291 | 290 | // handleActualRequest handles simple cross-origin requests, actual request or redirects |
292 | 291 | func (c *Cors) handleActualRequest(w http.ResponseWriter, r *http.Request) { |
293 | 292 | headers := w.Header() |
294 | | - origin := r.Header.Get("Origin") |
| 293 | + // null Origin header value is acceptable and it is considered having that header |
| 294 | + _, hasOriginHeader := r.Header["Origin"] |
295 | 295 |
|
296 | 296 | // Always set Vary, see https://github.com/rs/cors/issues/10 |
297 | 297 | headers.Add("Vary", "Origin") |
298 | | - if origin == "" { |
| 298 | + |
| 299 | + if !hasOriginHeader { |
299 | 300 | c.logf("Actual request no headers added: missing origin") |
300 | 301 | return |
301 | 302 | } |
| 303 | + origin := r.Header.Get("Origin") |
302 | 304 | if !c.isOriginAllowed(r, origin) { |
303 | 305 | c.logf("Actual request no headers added: origin '%s' not allowed", origin) |
304 | 306 | return |
|
0 commit comments