| 536 | } |
| 537 | |
| 538 | func corsMiddleware(next http.Handler, allowFrameLoading bool) http.Handler { |
| 539 | // Handle CORS headers and CORS OPTIONS request. |
| 540 | // CORS OPTIONS request are typically sent by browser during AJAX preflight |
| 541 | // when the browser initiate a POST request. |
| 542 | // |
| 543 | // As the OPTIONS request is unauthorized, this handler must be the first |
| 544 | // of the chain (hence added at the end). |
| 545 | // |
| 546 | // See https://www.w3.org/TR/cors/ for details. |
| 547 | return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| 548 | // Process OPTIONS requests |
| 549 | if r.Method == http.MethodOptions { |
| 550 | // Add a generous access-control-allow-origin header for CORS requests |
| 551 | w.Header().Add("Access-Control-Allow-Origin", "*") |
| 552 | // Only GET/POST/OPTIONS Methods are supported |
| 553 | w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS") |
| 554 | // Only these headers can be set |
| 555 | w.Header().Set("Access-Control-Allow-Headers", "Content-Type, X-API-Key") |
| 556 | // The request is meant to be cached 10 minutes |
| 557 | w.Header().Set("Access-Control-Max-Age", "600") |
| 558 | |
| 559 | // Indicate that no content will be returned |
| 560 | w.WriteHeader(http.StatusNoContent) |
| 561 | |
| 562 | return |
| 563 | } |
| 564 | |
| 565 | // Other security related headers that should be present. |
| 566 | // https://www.owasp.org/index.php/Security_Headers |
| 567 | |
| 568 | if !allowFrameLoading { |
| 569 | // We don't want to be rendered in an <iframe>, |
| 570 | // <frame> or <object>. (Unless we do it ourselves. |
| 571 | // This is also an escape hatch for people who serve |
| 572 | // Syncthing GUI as part of their own website |
| 573 | // through a proxy, so they don't need to set the |
| 574 | // allowFrameLoading bool.) |
| 575 | w.Header().Set("X-Frame-Options", "SAMEORIGIN") |
| 576 | } |
| 577 | |
| 578 | // If the browser senses an XSS attack it's allowed to take |
| 579 | // action. (How this would not always be the default I |
| 580 | // don't fully understand.) |
| 581 | w.Header().Set("X-XSS-Protection", "1; mode=block") |
| 582 | |
| 583 | // Our content type headers are correct. Don't guess. |
| 584 | w.Header().Set("X-Content-Type-Options", "nosniff") |
| 585 | |
| 586 | // For everything else, pass to the next handler |
| 587 | next.ServeHTTP(w, r) |
| 588 | }) |
| 589 | } |
| 590 | |
| 591 | func redirectToHTTPSMiddleware(h http.Handler) http.Handler { |
| 592 | return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |