gf/net/ghttp/ghttp_response_cors.go

// Copyright GoFrame Author(https://goframe.org). All Rights Reserved.
//
// This Source Code Form is subject to the terms of the MIT License.
// If a copy of the MIT was not distributed with this file,
// You can obtain one at https://github.com/gogf/gf.
//

package ghttp

import (
	"net/http"
	"net/url"

	"github.com/gogf/gf/v2/text/gstr"
	"github.com/gogf/gf/v2/util/gconv"
)

// CORSOptions is the options for CORS feature.
// See https://www.w3.org/TR/cors/ .
type CORSOptions struct {
	AllowDomain      []string // Used for allowing requests from custom domains
	AllowOrigin      string   // Access-Control-Allow-Origin
	AllowCredentials string   // Access-Control-Allow-Credentials
	ExposeHeaders    string   // Access-Control-Expose-Headers
	MaxAge           int      // Access-Control-Max-Age
	AllowMethods     string   // Access-Control-Allow-Methods
	AllowHeaders     string   // Access-Control-Allow-Headers
}

var (
	// defaultAllowHeaders is the default allowed headers for CORS.
	// It defined another map for better header key searching performance.
	defaultAllowHeaders    = "Origin,Content-Type,Accept,User-Agent,Cookie,Authorization,X-Auth-Token,X-Requested-With"
	defaultAllowHeadersMap = make(map[string]struct{})
)

func init() {
	array := gstr.SplitAndTrim(defaultAllowHeaders, ",")
	for _, header := range array {
		defaultAllowHeadersMap[header] = struct{}{}
	}
}

// DefaultCORSOptions returns the default CORS options,
// which allows any cross-domain request.
func (r *Response) DefaultCORSOptions() CORSOptions {
	options := CORSOptions{
		AllowOrigin:      "*",
		AllowMethods:     supportedHttpMethods,
		AllowCredentials: "true",
		AllowHeaders:     defaultAllowHeaders,
		MaxAge:           3628800,
	}
	// Allow all client's custom headers in default.
	if headers := r.Request.Header.Get("Access-Control-Request-Headers"); headers != "" {
		array := gstr.SplitAndTrim(headers, ",")
		for _, header := range array {
			if _, ok := defaultAllowHeadersMap[header]; !ok {
				options.AllowHeaders += "," + header
			}
		}
	}
	// Allow all anywhere origin in default.
	if origin := r.Request.Header.Get("Origin"); origin != "" {
		options.AllowOrigin = origin
	} else if referer := r.Request.Referer(); referer != "" {
		if p := gstr.PosR(referer, "/", 6); p != -1 {
			options.AllowOrigin = referer[:p]
		} else {
			options.AllowOrigin = referer
		}
	}
	return options
}

// CORS sets custom CORS options.
// See https://www.w3.org/TR/cors/ .
func (r *Response) CORS(options CORSOptions) {
	if r.CORSAllowedOrigin(options) {
		r.Header().Set("Access-Control-Allow-Origin", options.AllowOrigin)
	}
	if options.AllowCredentials != "" {
		r.Header().Set("Access-Control-Allow-Credentials", options.AllowCredentials)
	}
	if options.ExposeHeaders != "" {
		r.Header().Set("Access-Control-Expose-Headers", options.ExposeHeaders)
	}
	if options.MaxAge != 0 {
		r.Header().Set("Access-Control-Max-Age", gconv.String(options.MaxAge))
	}
	if options.AllowMethods != "" {
		r.Header().Set("Access-Control-Allow-Methods", options.AllowMethods)
	}
	if options.AllowHeaders != "" {
		r.Header().Set("Access-Control-Allow-Headers", options.AllowHeaders)
	}
	// No continue service handling if it's OPTIONS request.
	// Note that there's special checks in previous router searching,
	// so if it goes to here it means there's already serving handler exist.
	if gstr.Equal(r.Request.Method, "OPTIONS") {
		if r.Status == 0 {
			r.Status = http.StatusOK
		}
		// No continue serving.
		r.Request.ExitAll()
	}
}

// CORSAllowedOrigin CORSAllowed checks whether the current request origin is allowed cross-domain.
func (r *Response) CORSAllowedOrigin(options CORSOptions) bool {
	if options.AllowDomain == nil {
		return true
	}
	origin := r.Request.Header.Get("Origin")
	if origin == "" {
		return true
	}
	parsed, err := url.Parse(origin)
	if err != nil {
		return false
	}
	for _, v := range options.AllowDomain {
		if gstr.IsSubDomain(parsed.Host, v) {
			return true
		}
	}
	return false
}

// CORSDefault sets CORS with default CORS options,
// which allows any cross-domain request.
func (r *Response) CORSDefault() {
	r.CORS(r.DefaultCORSOptions())
}
copyright comment update 2021-01-17 21:46:25 +08:00			`// Copyright GoFrame Author(https://goframe.org). All Rights Reserved.`
update CORS feature of ghttp.Response; add more unit cases for ghttp.Server 2019-03-01 23:45:55 +08:00			`//`
			`// This Source Code Form is subject to the terms of the MIT License.`
			`// If a copy of the MIT was not distributed with this file,`
			`// You can obtain one at https://github.com/gogf/gf.`
			`//`

			`package ghttp`

			`import (`
improve CORS feature for ghttp.Server 2020-03-04 22:52:56 +08:00			`"net/http"`
			`"net/url"`
Improved import, by group improt. 2021-11-13 23:23:55 +08:00
			`"github.com/gogf/gf/v2/text/gstr"`
			`"github.com/gogf/gf/v2/util/gconv"`
update CORS feature of ghttp.Response; add more unit cases for ghttp.Server 2019-03-01 23:45:55 +08:00			`)`

update travis for adding mysql password; add custom view feature for ghttp.Response 2019-11-20 12:09:26 +08:00			`// CORSOptions is the options for CORS feature.`
update CORS feature of ghttp.Response; add more unit cases for ghttp.Server 2019-03-01 23:45:55 +08:00			`// See https://www.w3.org/TR/cors/ .`
			`type CORSOptions struct {`
improve gfile/gstr/ghttp 2019-09-23 16:21:19 +08:00			`AllowDomain []string // Used for allowing requests from custom domains`
			`AllowOrigin string // Access-Control-Allow-Origin`
			`AllowCredentials string // Access-Control-Allow-Credentials`
			`ExposeHeaders string // Access-Control-Expose-Headers`
			`MaxAge int // Access-Control-Max-Age`
			`AllowMethods string // Access-Control-Allow-Methods`
			`AllowHeaders string // Access-Control-Allow-Headers`
update CORS feature of ghttp.Response; add more unit cases for ghttp.Server 2019-03-01 23:45:55 +08:00			`}`

improve router feature for ghttp.Server 2020-03-04 17:29:23 +08:00			`var (`
			`// defaultAllowHeaders is the default allowed headers for CORS.`
improve comment 2022-03-19 17:58:21 +08:00			`// It defined another map for better header key searching performance.`
improve CORS feature for ghttp.Server 2020-03-04 22:52:56 +08:00			`defaultAllowHeaders = "Origin,Content-Type,Accept,User-Agent,Cookie,Authorization,X-Auth-Token,X-Requested-With"`
			`defaultAllowHeadersMap = make(map[string]struct{})`
improve router feature for ghttp.Server 2020-03-04 17:29:23 +08:00			`)`

improve CORS feature for ghttp.Server 2020-03-04 22:52:56 +08:00			`func init() {`
			`array := gstr.SplitAndTrim(defaultAllowHeaders, ",")`
			`for _, header := range array {`
			`defaultAllowHeadersMap[header] = struct{}{}`
			`}`
			`}`

improve gfile/gstr/ghttp 2019-09-23 16:21:19 +08:00			`// DefaultCORSOptions returns the default CORS options,`
			`// which allows any cross-domain request.`
update CORS feature of ghttp.Response; add more unit cases for ghttp.Server 2019-03-01 23:45:55 +08:00			`func (r *Response) DefaultCORSOptions() CORSOptions {`
improve CORS feature for ghttp.Server 2019-09-03 17:18:16 +08:00			`options := CORSOptions{`
improve ghttp.CORSDefault 2019-06-24 19:05:07 +08:00			`AllowOrigin: "*",`
make unnecessaryly exported resource private for package ghttp 2021-01-19 19:33:21 +08:00			`AllowMethods: supportedHttpMethods,`
gofmt 2019-06-19 09:06:52 +08:00			`AllowCredentials: "true",`
improve CORS feature for ghttp.Server 2020-03-04 22:52:56 +08:00			`AllowHeaders: defaultAllowHeaders,`
gofmt 2019-06-19 09:06:52 +08:00			`MaxAge: 3628800,`
			`}`
improve router feature for ghttp.Server 2020-03-04 17:29:23 +08:00			`// Allow all client's custom headers in default.`
			`if headers := r.Request.Header.Get("Access-Control-Request-Headers"); headers != "" {`
			`array := gstr.SplitAndTrim(headers, ",")`
			`for _, header := range array {`
improve CORS feature for ghttp.Server 2020-03-04 22:52:56 +08:00			`if _, ok := defaultAllowHeadersMap[header]; !ok {`
fix: Access-Control-Request-Headers 2020-08-04 11:57:42 +08:00			`options.AllowHeaders += "," + header`
improve router feature for ghttp.Server 2020-03-04 17:29:23 +08:00			`}`
			`}`
			`}`
			`// Allow all anywhere origin in default.`
fix issue in cors 2019-09-26 15:54:13 +08:00			`if origin := r.Request.Header.Get("Origin"); origin != "" {`
RELEASE updates 2019-09-23 22:00:04 +08:00			`options.AllowOrigin = origin`
improve ghttp.Response; move gflock to new repo 2019-09-24 20:19:18 +08:00			`} else if referer := r.Request.Referer(); referer != "" {`
improve CORS feature for ghttp.Server 2019-09-03 17:18:16 +08:00			`if p := gstr.PosR(referer, "/", 6); p != -1 {`
			`options.AllowOrigin = referer[:p]`
			`} else {`
			`options.AllowOrigin = referer`
			`}`
			`}`
			`return options`
update CORS feature of ghttp.Response; add more unit cases for ghttp.Server 2019-03-01 23:45:55 +08:00			`}`

improve gfile/gstr/ghttp 2019-09-23 16:21:19 +08:00			`// CORS sets custom CORS options.`
update CORS feature of ghttp.Response; add more unit cases for ghttp.Server 2019-03-01 23:45:55 +08:00			`// See https://www.w3.org/TR/cors/ .`
			`func (r *Response) CORS(options CORSOptions) {`
RELEASE updates 2019-09-23 22:00:04 +08:00			`if r.CORSAllowedOrigin(options) {`
gofmt 2019-06-19 09:06:52 +08:00			`r.Header().Set("Access-Control-Allow-Origin", options.AllowOrigin)`
			`}`
			`if options.AllowCredentials != "" {`
			`r.Header().Set("Access-Control-Allow-Credentials", options.AllowCredentials)`
			`}`
			`if options.ExposeHeaders != "" {`
			`r.Header().Set("Access-Control-Expose-Headers", options.ExposeHeaders)`
			`}`
			`if options.MaxAge != 0 {`
			`r.Header().Set("Access-Control-Max-Age", gconv.String(options.MaxAge))`
			`}`
			`if options.AllowMethods != "" {`
			`r.Header().Set("Access-Control-Allow-Methods", options.AllowMethods)`
			`}`
			`if options.AllowHeaders != "" {`
			`r.Header().Set("Access-Control-Allow-Headers", options.AllowHeaders)`
			`}`
improve CORS feature for ghttp.Server 2020-02-16 23:18:37 +08:00			`// No continue service handling if it's OPTIONS request.`
improve CORS feature for ghttp.Server 2020-03-17 17:46:43 +08:00			`// Note that there's special checks in previous router searching,`
			`// so if it goes to here it means there's already serving handler exist.`
improve CORS feature for ghttp.Server 2020-02-16 23:18:37 +08:00			`if gstr.Equal(r.Request.Method, "OPTIONS") {`
			`if r.Status == 0 {`
improve CORS feature for ghttp.Server 2020-03-17 17:46:43 +08:00			`r.Status = http.StatusOK`
improve CORS feature for ghttp.Server 2020-02-16 23:18:37 +08:00			`}`
improve CORS feature for ghttp.Server 2020-03-17 17:46:43 +08:00			`// No continue serving.`
improve CORS feature for ghttp.Server 2020-02-16 23:18:37 +08:00			`r.Request.ExitAll()`
			`}`
update CORS feature of ghttp.Response; add more unit cases for ghttp.Server 2019-03-01 23:45:55 +08:00			`}`

Improved import, by group improt. 2021-11-13 23:23:55 +08:00			`// CORSAllowedOrigin CORSAllowed checks whether the current request origin is allowed cross-domain.`
RELEASE updates 2019-09-23 22:00:04 +08:00			`func (r *Response) CORSAllowedOrigin(options CORSOptions) bool {`
			`if options.AllowDomain == nil {`
			`return true`
			`}`
improve ghttp.Response; move gflock to new repo 2019-09-24 20:19:18 +08:00			`origin := r.Request.Header.Get("Origin")`
RELEASE updates 2019-09-23 22:00:04 +08:00			`if origin == "" {`
improve ghttp.Response; move gflock to new repo 2019-09-24 20:19:18 +08:00			`return true`
RELEASE updates 2019-09-23 22:00:04 +08:00			`}`
			`parsed, err := url.Parse(origin)`
			`if err != nil {`
			`return false`
			`}`
			`for _, v := range options.AllowDomain {`
			`if gstr.IsSubDomain(parsed.Host, v) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

improve gfile/gstr/ghttp 2019-09-23 16:21:19 +08:00			`// CORSDefault sets CORS with default CORS options,`
			`// which allows any cross-domain request.`
update CORS feature of ghttp.Response; add more unit cases for ghttp.Server 2019-03-01 23:45:55 +08:00			`func (r *Response) CORSDefault() {`
gofmt 2019-06-19 09:06:52 +08:00			`r.CORS(r.DefaultCORSOptions())`
update CORS feature of ghttp.Response; add more unit cases for ghttp.Server 2019-03-01 23:45:55 +08:00			`}`