Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commited41edd

Browse files
committed
Simplify CORS handler with AllowOriginFunc
1 parent28ec76b commited41edd

File tree

2 files changed

+16
-32
lines changed

2 files changed

+16
-32
lines changed

‎coderd/coderd.go

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -407,10 +407,7 @@ func New(options *Options) *API {
407407
//
408408
// Workspace apps do their own auth and CORS and must be BEFORE the auth
409409
// and CORS middleware.
410-
// REVIEW: Would it be worth creating httpmw.ExtractWorkspaceApp and using a
411-
// single CORS middleware?
412410
api.workspaceAppServer.HandleSubdomain(apiRateLimiter),
413-
// REVIEW: Is it OK that CORS come after the above middleware?
414411
cors,
415412
// Build-Version is helpful for debugging.
416413
func(next http.Handler) http.Handler {

‎coderd/workspaceapps/proxy.go

Lines changed: 16 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -362,37 +362,24 @@ func (s *Server) HandleSubdomain(middlewares ...func(http.Handler) http.Handler)
362362
return
363363
}
364364

365-
// REVIEW: Like mentioned in coderd.go maybe we should extract the app
366-
// using middleware that way we can do this in a single top-level CORS
367-
// handler? Or just do the URL parsing twice.
368-
varcorsmwfunc(next http.Handler) http.Handler
369-
origin:=r.Header.Get("Origin")
370-
iforiginApp,ok:=s.parseOrigin(origin);ok&&originApp.Username==app.Username {
371-
corsmw=cors.Handler(cors.Options{
372-
AllowedOrigins: []string{origin},
373-
AllowedMethods: []string{
374-
http.MethodHead,
375-
http.MethodGet,
376-
http.MethodPost,
377-
http.MethodPut,
378-
http.MethodPatch,
379-
http.MethodDelete,
380-
},
381-
AllowedHeaders: []string{"*"},
382-
AllowCredentials:true,
383-
})
384-
}else {
385-
corsmw=cors.Handler(cors.Options{
386-
AllowedOrigins: []string{""},// The middleware defaults to *.
387-
AllowedMethods: []string{},
388-
AllowedHeaders: []string{},
389-
AllowCredentials:false,
390-
})
391-
}
392-
393365
// Use the passed in app middlewares before checking authentication and
394366
// passing to the proxy app.
395-
mws:=chi.Middlewares(append(middlewares,corsmw))
367+
mws:=chi.Middlewares(append(middlewares,cors.Handler(cors.Options{
368+
AllowOriginFunc:func(r*http.Request,originstring)bool {
369+
originApp,ok:=s.parseOrigin(origin)
370+
returnok&&originApp.Username==app.Username
371+
},
372+
AllowedMethods: []string{
373+
http.MethodHead,
374+
http.MethodGet,
375+
http.MethodPost,
376+
http.MethodPut,
377+
http.MethodPatch,
378+
http.MethodDelete,
379+
},
380+
AllowedHeaders: []string{"*"},
381+
AllowCredentials:true,
382+
})))
396383
mws.Handler(http.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {
397384
if!s.handleAPIKeySmuggling(rw,r,AccessMethodSubdomain) {
398385
return

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp