(allowOrigins []string)
| 114 | } |
| 115 | |
| 116 | func cors(allowOrigins []string) rex.Handle { |
| 117 | allowList := set.NewReadOnly(allowOrigins...) |
| 118 | return func(ctx *rex.Context) any { |
| 119 | origin := ctx.R.Header.Get("Origin") |
| 120 | isOptionsMethod := ctx.R.Method == "OPTIONS" |
| 121 | h := ctx.W.Header() |
| 122 | if allowList.Len() > 0 { |
| 123 | if origin != "" { |
| 124 | if !allowList.Has(origin) { |
| 125 | return rex.Status(403, "forbidden") |
| 126 | } |
| 127 | setCorsHeaders(h, isOptionsMethod, origin) |
| 128 | } else if isOptionsMethod { |
| 129 | // not a preflight request |
| 130 | return rex.Status(405, "method not allowed") |
| 131 | } |
| 132 | appendVaryHeader(h, "Origin") |
| 133 | } else { |
| 134 | setCorsHeaders(h, isOptionsMethod, "*") |
| 135 | } |
| 136 | if isOptionsMethod { |
| 137 | return rex.NoContent() |
| 138 | } |
| 139 | return ctx.Next() |
| 140 | } |
| 141 | } |
| 142 | |
| 143 | func setCorsHeaders(h http.Header, isOptionsMethod bool, origin string) { |
| 144 | h.Set("Access-Control-Allow-Origin", origin) |
no test coverage detected