diff options
| author | Christopher Speller <crspeller@gmail.com> | 2018-08-28 10:05:26 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-08-28 10:05:26 -0700 |
| commit | 61e27beabc9804fdcf59ed9df2180802175a4f70 (patch) | |
| tree | 52c86f5cdbd4e13d05b8f9dddad1a01b88e26cab /vendor/github.com/gorilla/handlers/cors.go | |
| parent | 347ee1d205c95f5fd766e206cc65bfb9782a2623 (diff) | |
| download | chat-61e27beabc9804fdcf59ed9df2180802175a4f70.tar.gz chat-61e27beabc9804fdcf59ed9df2180802175a4f70.tar.bz2 chat-61e27beabc9804fdcf59ed9df2180802175a4f70.zip | |
Updating dependancies. (#9303)
Diffstat (limited to 'vendor/github.com/gorilla/handlers/cors.go')
| -rw-r--r-- | vendor/github.com/gorilla/handlers/cors.go | 29 |
1 files changed, 20 insertions, 9 deletions
diff --git a/vendor/github.com/gorilla/handlers/cors.go b/vendor/github.com/gorilla/handlers/cors.go index 1cf7581ce..1acf80d1b 100644 --- a/vendor/github.com/gorilla/handlers/cors.go +++ b/vendor/github.com/gorilla/handlers/cors.go @@ -48,7 +48,10 @@ const ( func (ch *cors) ServeHTTP(w http.ResponseWriter, r *http.Request) { origin := r.Header.Get(corsOriginHeader) if !ch.isOriginAllowed(origin) { - ch.h.ServeHTTP(w, r) + if r.Method != corsOptionMethod || ch.ignoreOptions { + ch.h.ServeHTTP(w, r) + } + return } @@ -111,13 +114,17 @@ func (ch *cors) ServeHTTP(w http.ResponseWriter, r *http.Request) { } returnOrigin := origin - for _, o := range ch.allowedOrigins { - // A configuration of * is different than explicitly setting an allowed - // origin. Returning arbitrary origin headers an an access control allow - // origin header is unsafe and is not required by any use case. - if o == corsOriginMatchAll { - returnOrigin = "*" - break + if ch.allowedOriginValidator == nil && len(ch.allowedOrigins) == 0 { + returnOrigin = "*" + } else { + for _, o := range ch.allowedOrigins { + // A configuration of * is different than explicitly setting an allowed + // origin. Returning arbitrary origin headers in an access control allow + // origin header is unsafe and is not required by any use case. + if o == corsOriginMatchAll { + returnOrigin = "*" + break + } } } w.Header().Set(corsAllowOriginHeader, returnOrigin) @@ -159,7 +166,7 @@ func parseCORSOptions(opts ...CORSOption) *cors { ch := &cors{ allowedMethods: defaultCorsMethods, allowedHeaders: defaultCorsHeaders, - allowedOrigins: []string{corsOriginMatchAll}, + allowedOrigins: []string{}, } for _, option := range opts { @@ -307,6 +314,10 @@ func (ch *cors) isOriginAllowed(origin string) bool { return ch.allowedOriginValidator(origin) } + if len(ch.allowedOrigins) == 0 { + return true + } + for _, allowedOrigin := range ch.allowedOrigins { if allowedOrigin == origin || allowedOrigin == corsOriginMatchAll { return true |