Relaxed CORS restriction from /api/ endpoint, see #46

Now cross-site xhr-requests can work inside browser(by scripts or extensions) even if the authentication is enabled. Tested on an extension which uses /api/ endpoint with authentication feature and solves [https://github.com/ketankr9/cloud-torrent-extension/issues/1#issuecomment-570915569](https://github.com/ketankr9/cloud-torrent-extension/issues/1#issuecomment-570915569) Note: CORS only affects webHandle
boypt · Jan 10, 2020 · a55227d · a55227d
1 parent 6621e7c
commit a55227d
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/server/server_http.go b/server/server_http.go
@@ -39,7 +39,12 @@ func (s *Server) webHandle(w http.ResponseWriter, r *http.Request) {
 	}
 	//api call
 	if strings.HasPrefix(r.URL.Path, "/api/") {
-		w.Header().Set("Access-Control-Allow-Headers", "authorization")
+		origin := r.Header.Get("Origin")
+		if origin == "" {
+			origin = "*"
+		}
+		w.Header().Set("Access-Control-Allow-Origin", origin)
+		w.Header().Set("Access-Control-Allow-Credentials", "true")
 		s.restAPIhandle(w, r)
 		return
 	}
@@ -51,7 +56,6 @@ func (s *Server) webHandle(w http.ResponseWriter, r *http.Request) {
 func (s *Server) restAPIhandle(w http.ResponseWriter, r *http.Request) {
 	ret := "Bad Request"
 	if strings.HasPrefix(r.URL.Path, "/api/") {
-		w.Header().Set("Access-Control-Allow-Origin", "*")
 		switch r.Method {
 		case "POST":
 			if err := s.apiPOST(r); err == nil {