forked from gitea/gitea
Add configuration for CORS allowed headers (#21747)
This PR enhances the CORS middleware usage by allowing for the headers to be configured in `app.ini`. Fixes #21746 Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: John Olheiser <john.olheiser@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
parent
fb704f6c72
commit
2cbea23d70
|
@ -1138,6 +1138,9 @@ ROUTER = console
|
||||||
;; allow request with credentials
|
;; allow request with credentials
|
||||||
;ALLOW_CREDENTIALS = false
|
;ALLOW_CREDENTIALS = false
|
||||||
;;
|
;;
|
||||||
|
;; headers to permit
|
||||||
|
;HEADERS = Content-Type,User-Agent
|
||||||
|
;;
|
||||||
;; set X-FRAME-OPTIONS header
|
;; set X-FRAME-OPTIONS header
|
||||||
;X_FRAME_OPTIONS = SAMEORIGIN
|
;X_FRAME_OPTIONS = SAMEORIGIN
|
||||||
|
|
||||||
|
|
|
@ -200,6 +200,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
|
||||||
- `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request
|
- `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request
|
||||||
- `MAX_AGE`: **10m**: max time to cache response
|
- `MAX_AGE`: **10m**: max time to cache response
|
||||||
- `ALLOW_CREDENTIALS`: **false**: allow request with credentials
|
- `ALLOW_CREDENTIALS`: **false**: allow request with credentials
|
||||||
|
- `HEADERS`: **Content-Type,User-Agent**: additional headers that are permitted in requests
|
||||||
- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value.
|
- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value.
|
||||||
|
|
||||||
## UI (`ui`)
|
## UI (`ui`)
|
||||||
|
|
|
@ -19,10 +19,12 @@ var CORSConfig = struct {
|
||||||
Methods []string
|
Methods []string
|
||||||
MaxAge time.Duration
|
MaxAge time.Duration
|
||||||
AllowCredentials bool
|
AllowCredentials bool
|
||||||
|
Headers []string
|
||||||
XFrameOptions string
|
XFrameOptions string
|
||||||
}{
|
}{
|
||||||
Enabled: false,
|
Enabled: false,
|
||||||
MaxAge: 10 * time.Minute,
|
MaxAge: 10 * time.Minute,
|
||||||
|
Headers: []string{"Content-Type", "User-Agent"},
|
||||||
XFrameOptions: "SAMEORIGIN",
|
XFrameOptions: "SAMEORIGIN",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -617,7 +617,7 @@ func Routes(ctx gocontext.Context) *web.Route {
|
||||||
// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
|
// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
|
||||||
AllowedMethods: setting.CORSConfig.Methods,
|
AllowedMethods: setting.CORSConfig.Methods,
|
||||||
AllowCredentials: setting.CORSConfig.AllowCredentials,
|
AllowCredentials: setting.CORSConfig.AllowCredentials,
|
||||||
AllowedHeaders: []string{"Authorization", "X-Gitea-OTP"},
|
AllowedHeaders: append([]string{"Authorization", "X-Gitea-OTP"}, setting.CORSConfig.Headers...),
|
||||||
MaxAge: int(setting.CORSConfig.MaxAge.Seconds()),
|
MaxAge: int(setting.CORSConfig.MaxAge.Seconds()),
|
||||||
}))
|
}))
|
||||||
}
|
}
|
||||||
|
|
|
@ -67,6 +67,7 @@ func CorsHandler() func(next http.Handler) http.Handler {
|
||||||
// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
|
// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
|
||||||
AllowedMethods: setting.CORSConfig.Methods,
|
AllowedMethods: setting.CORSConfig.Methods,
|
||||||
AllowCredentials: setting.CORSConfig.AllowCredentials,
|
AllowCredentials: setting.CORSConfig.AllowCredentials,
|
||||||
|
AllowedHeaders: setting.CORSConfig.Headers,
|
||||||
MaxAge: int(setting.CORSConfig.MaxAge.Seconds()),
|
MaxAge: int(setting.CORSConfig.MaxAge.Seconds()),
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue