diff options
Diffstat (limited to 'vendor/github.com/gorilla/handlers')
| -rw-r--r-- | vendor/github.com/gorilla/handlers/.travis.yml | 2 | ||||
| -rw-r--r-- | vendor/github.com/gorilla/handlers/cors.go | 12 | ||||
| -rw-r--r-- | vendor/github.com/gorilla/handlers/cors_test.go | 37 |
3 files changed, 49 insertions, 2 deletions
diff --git a/vendor/github.com/gorilla/handlers/.travis.yml b/vendor/github.com/gorilla/handlers/.travis.yml index 4ea1e7a1f..1ba74af10 100644 --- a/vendor/github.com/gorilla/handlers/.travis.yml +++ b/vendor/github.com/gorilla/handlers/.travis.yml @@ -7,6 +7,7 @@ matrix: - go: 1.5 - go: 1.6 - go: 1.7 + - go: 1.8 - go: tip allow_failures: - go: tip @@ -16,3 +17,4 @@ script: - diff -u <(echo -n) <(gofmt -d .) - go vet $(go list ./... | grep -v /vendor/) - go test -v -race ./... + diff --git a/vendor/github.com/gorilla/handlers/cors.go b/vendor/github.com/gorilla/handlers/cors.go index 1f92d1ad4..1cf7581ce 100644 --- a/vendor/github.com/gorilla/handlers/cors.go +++ b/vendor/github.com/gorilla/handlers/cors.go @@ -110,7 +110,17 @@ func (ch *cors) ServeHTTP(w http.ResponseWriter, r *http.Request) { w.Header().Set(corsVaryHeader, corsOriginHeader) } - w.Header().Set(corsAllowOriginHeader, origin) + returnOrigin := origin + for _, o := range ch.allowedOrigins { + // A configuration of * is different than explicitly setting an allowed + // origin. Returning arbitrary origin headers an an access control allow + // origin header is unsafe and is not required by any use case. + if o == corsOriginMatchAll { + returnOrigin = "*" + break + } + } + w.Header().Set(corsAllowOriginHeader, returnOrigin) if r.Method == corsOptionMethod { return diff --git a/vendor/github.com/gorilla/handlers/cors_test.go b/vendor/github.com/gorilla/handlers/cors_test.go index c63913eee..61eb18f77 100644 --- a/vendor/github.com/gorilla/handlers/cors_test.go +++ b/vendor/github.com/gorilla/handlers/cors_test.go @@ -327,10 +327,45 @@ func TestCORSHandlerWithCustomValidator(t *testing.T) { return false } - CORS(AllowedOriginValidator(originValidator))(testHandler).ServeHTTP(rr, r) + // Specially craft a CORS object. + handleFunc := func(h http.Handler) http.Handler { + c := &cors{ + allowedMethods: defaultCorsMethods, + allowedHeaders: defaultCorsHeaders, + allowedOrigins: []string{"http://a.example.com"}, + h: h, + } + AllowedOriginValidator(originValidator)(c) + return c + } + + handleFunc(testHandler).ServeHTTP(rr, r) header := rr.HeaderMap.Get(corsAllowOriginHeader) if header != r.URL.String() { t.Fatalf("bad header: expected %s to be %s, got %s.", corsAllowOriginHeader, r.URL.String(), header) } } + +func TestCORSAllowStar(t *testing.T) { + r := newRequest("GET", "http://a.example.com") + r.Header.Set("Origin", r.URL.String()) + rr := httptest.NewRecorder() + + testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}) + originValidator := func(origin string) bool { + if strings.HasSuffix(origin, ".example.com") { + return true + } + return false + } + + CORS(AllowedOriginValidator(originValidator))(testHandler).ServeHTTP(rr, r) + header := rr.HeaderMap.Get(corsAllowOriginHeader) + // Because * is the default CORS policy (which is safe), we should be + // expect a * returned here as the Access Control Allow Origin header + if header != "*" { + t.Fatalf("bad header: expected %s to be %s, got %s.", corsAllowOriginHeader, r.URL.String(), header) + } + +} |