cmd/noxy: add CORS headers to all endpoints

the simplest approach at the moment: allow requests from all origins,
only GET and OPTIONS methods.

allowed headers are '*'. this prevents clients from providing
credentials via cookies which isn't used anyway. nuff cookies.
pull/2/head v0.0.1
alex 2 years ago
parent 813d0501bd
commit 78a1aae7e8
Signed by: x1ddos
GPG Key ID: FDEFB4A63CBD8460

@ -130,7 +130,7 @@ func main() {
log.Printf("listening on %s", *listenAddr) log.Printf("listening on %s", *listenAddr)
log.Printf("known relays: %s", strings.Join(knownRelays, ", ")) log.Printf("known relays: %s", strings.Join(knownRelays, ", "))
http.ListenAndServe(*listenAddr, logHandler(mux)) http.ListenAndServe(*listenAddr, logHandler(cors(mux)))
} }
// handles requests to / // handles requests to /
@ -198,6 +198,21 @@ func writeError(w http.ResponseWriter, err error) {
fmt.Fprint(w, err.Error()) fmt.Fprint(w, err.Error())
} }
func cors(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Headers", "*") // nb: wildcard prevents authentication
w.Header().Set("Access-Control-Allow-Methods", "GET, OPTIONS")
if r.Method == "OPTIONS" {
w.Header().Set("Access-Control-Max-Age", "2592000") // valid for 30 days
w.WriteHeader(http.StatusNoContent)
return
}
w.Header().Set("Access-Control-Expose-Headers", "*");
h.ServeHTTP(w, r)
})
}
func logHandler(h http.Handler) http.Handler { func logHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
log.Printf("%s %s", r.Method, r.RequestURI) log.Printf("%s %s", r.Method, r.RequestURI)

Loading…
Cancel
Save