Repository files navigation

CORS is anet/http handler implementingCross Origin Resource Sharing W3 specification in Golang.

After installing Go and setting up yourGOPATH, create your first.go file. We'll call itserver.go.

package mainimport ("net/http""github.com/rs/cors")funcmain() {mux:=http.NewServeMux()mux.HandleFunc("/",func(w http.ResponseWriter,r*http.Request) {w.Header().Set("Content-Type","application/json")w.Write([]byte("{\"hello\":\"world\"}"))    })// cors.Default() setup the middleware with default options being// all origins accepted with simple methods (GET, POST). See// documentation below for more options.handler:=cors.Default().Handler(mux)http.ListenAndServe(":8080",handler)}

Installcors:

go get github.com/rs/cors

Then run your server:

go run server.go

The server now runs onlocalhost:8080:

$ curl -D - -H 'Origin: http://foo.com' http://localhost:8080/HTTP/1.1 200 OKAccess-Control-Allow-Origin: foo.comContent-Type: application/jsonDate: Sat, 25 Oct 2014 03:43:57 GMTContent-Length: 18{"hello": "world"}

This library has been modified to avoid a well known security issue when configured withAllowedOrigins to* andAllowCredentials totrue. Such setup used to make the library reflects the requestOrigin header value, working around a security protection embedded into the standard that makes clients to refuse such configuration. This behavior has been removed with#55 and#57.

If you depend on this behavior and understand the implications, you can restore it using theAllowOriginFunc withfunc(origin string) {return true}.

Please refer to#55 for more information about the security implications.

• net/http:examples/nethttp/server.go
• Goji:examples/goji/server.go
• Martini:examples/martini/server.go
• Negroni:examples/negroni/server.go
• Alice:examples/alice/server.go
• HttpRouter:examples/httprouter/server.go
• Gorilla:examples/gorilla/server.go
• Buffalo:examples/buffalo/server.go
• Gin:examples/gin/server.go
• Chi:examples/chi/server.go

Parameters are passed to the middleware thru thecors.New method as follow:

c:=cors.New(cors.Options{AllowedOrigins: []string{"http://foo.com","http://foo.com:8080"},AllowCredentials:true,// Enable Debugging for testing, consider disabling in productionDebug:true,})// Insert the middlewarehandler=c.Handler(handler)

• AllowedOrigins[]string: A list of origins a cross-domain request can be executed from. If the special* value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.:http://*.domain.com). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin. The default value is*.
• AllowOriginFuncfunc (origin string) bool: A custom function to validate the origin. It takes the origin as an argument and returns true if allowed, or false otherwise. If this option is set, the content ofAllowedOrigins is ignored.
• AllowOriginRequestFuncfunc (r *http.Request, origin string) bool: A custom function to validate the origin. It takes the HTTP Request object and the origin as argument and returns true if allowed or false otherwise. If this option is set, the contents ofAllowedOrigins andAllowOriginFunc are ignored.Deprecated: useAllowOriginVaryRequestFunc instead.
• AllowOriginVaryRequestFuncfunc(r *http.Request, origin string) (bool, []string): A custom function to validate the origin. It takes the HTTP Request object and the origin as argument and returns true if allowed or false otherwise with a list of headers used to take that decision if any so they can be added to the Vary header. If this option is set, the contents ofAllowedOrigins,AllowOriginFunc andAllowOriginRequestFunc are ignored.
• AllowedMethods[]string: A list of methods the client is allowed to use with cross-domain requests. Default value is simple methods (GET andPOST).
• AllowedHeaders[]string: A list of non simple headers the client is allowed to use with cross-domain requests.
• ExposedHeaders[]string: Indicates which headers are safe to expose to the API of a CORS API specification.
• AllowCredentialsbool: Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates. The default isfalse.
• AllowPrivateNetworkbool: Indicates whether to accept cross-origin requests over a private network.
• MaxAgeint: Indicates how long (in seconds) the results of a preflight request can be cached. The default is0 which stands for no max age.
• OptionsPassthroughbool: Instructs preflight to let other potential next handlers to process theOPTIONS method. Turn this on if your application handlesOPTIONS.
• OptionsSuccessStatusint: Provides a status code to use for successful OPTIONS requests. Default value ishttp.StatusNoContent (204).
• Debugbool: Debugging flag adds additional output to debug server side CORS issues.

SeeAPI documentation for more info.

goos: darwingoarch: arm64pkg: github.com/rs/corsBenchmarkWithout-10            135325480         8.124 ns/op       0 B/op       0 allocs/opBenchmarkDefault-10            24082140        51.40 ns/op       0 B/op       0 allocs/opBenchmarkAllowedOrigin-10      16424518        88.25 ns/op       0 B/op       0 allocs/opBenchmarkPreflight-10           8010259       147.3 ns/op       0 B/op       0 allocs/opBenchmarkPreflightHeader-10     6850962       175.0 ns/op       0 B/op       0 allocs/opBenchmarkWildcard/match-10     253275342         4.714 ns/op       0 B/op       0 allocs/opBenchmarkWildcard/too_short-10 1000000000         0.6235 ns/op       0 B/op       0 allocs/opPASSok  github.com/rs/cors99.131s

All source code is licensed under theMIT License.