MCPcopy
hub / github.com/syncthing/syncthing / corsMiddleware

Function corsMiddleware

lib/api/api.go:538–589  ·  view source on GitHub ↗
(next http.Handler, allowFrameLoading bool)

Source from the content-addressed store, hash-verified

536}
537
538func corsMiddleware(next http.Handler, allowFrameLoading bool) http.Handler {
539 // Handle CORS headers and CORS OPTIONS request.
540 // CORS OPTIONS request are typically sent by browser during AJAX preflight
541 // when the browser initiate a POST request.
542 //
543 // As the OPTIONS request is unauthorized, this handler must be the first
544 // of the chain (hence added at the end).
545 //
546 // See https://www.w3.org/TR/cors/ for details.
547 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
548 // Process OPTIONS requests
549 if r.Method == http.MethodOptions {
550 // Add a generous access-control-allow-origin header for CORS requests
551 w.Header().Add("Access-Control-Allow-Origin", "*")
552 // Only GET/POST/OPTIONS Methods are supported
553 w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
554 // Only these headers can be set
555 w.Header().Set("Access-Control-Allow-Headers", "Content-Type, X-API-Key")
556 // The request is meant to be cached 10 minutes
557 w.Header().Set("Access-Control-Max-Age", "600")
558
559 // Indicate that no content will be returned
560 w.WriteHeader(http.StatusNoContent)
561
562 return
563 }
564
565 // Other security related headers that should be present.
566 // https://www.owasp.org/index.php/Security_Headers
567
568 if !allowFrameLoading {
569 // We don't want to be rendered in an <iframe>,
570 // <frame> or <object>. (Unless we do it ourselves.
571 // This is also an escape hatch for people who serve
572 // Syncthing GUI as part of their own website
573 // through a proxy, so they don't need to set the
574 // allowFrameLoading bool.)
575 w.Header().Set("X-Frame-Options", "SAMEORIGIN")
576 }
577
578 // If the browser senses an XSS attack it's allowed to take
579 // action. (How this would not always be the default I
580 // don't fully understand.)
581 w.Header().Set("X-XSS-Protection", "1; mode=block")
582
583 // Our content type headers are correct. Don't guess.
584 w.Header().Set("X-Content-Type-Options", "nosniff")
585
586 // For everything else, pass to the next handler
587 next.ServeHTTP(w, r)
588 })
589}
590
591func redirectToHTTPSMiddleware(h http.Handler) http.Handler {
592 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

Callers 1

ServeMethod · 0.85

Calls 5

AddMethod · 0.45
HeaderMethod · 0.45
SetMethod · 0.45
WriteHeaderMethod · 0.45
ServeHTTPMethod · 0.45

Tested by

no test coverage detected