Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(middleware/cors): Add support for Access-Control-Allow-Private-Network #2908

Merged
merged 17 commits into from
Mar 22, 2024
+260 −137
Merged

feat(middleware/cors): Add support for Access-Control-Allow-Private-Network #2908

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
b8b36fd
Add support for Access-Control-Allow-Private-Network in CORS middleware
Behzad-Khokher Mar 9, 2024
33194c8
Access-Control-Allow-Private-Network in CORS middleware documentation…
Behzad-Khokher Mar 9, 2024
e9e9c97
Access-Control-Allow-Private-Network in CORS middleware tests
Behzad-Khokher Mar 9, 2024
e928f79
Fix lint issues
gaby Mar 14, 2024
88cd688
Fix formatting
gaby Mar 14, 2024
93af949
Merge branch 'main' into cors-private-network-support
gaby Mar 17, 2024
e7ee21f
Rename config option, add more unit-tests
gaby Mar 17, 2024
1af71a3
Fix syntax issue
gaby Mar 17, 2024
0ccf921
Fix conditional
gaby Mar 17, 2024
0779b21
Fix formatting, add more unit-tests
gaby Mar 17, 2024
a3fa421
Merge branch 'main' into cors-private-network-support
gaby Mar 17, 2024
1562aa0
Merge branch 'main' into cors-private-network-support
gaby Mar 18, 2024
0ea8c85
Merge branch 'main' into cors-private-network-support
gaby Mar 19, 2024
7293cb9
chore(middleware/cors): Update middleware/cors/cors.go
sixcolors Mar 20, 2024
4b5515c
chore(middleware/cors): add HeaderAccessControlRequestPrivateNetowkr
sixcolors Mar 20, 2024
c036d4b
test(middleware/cors): fix CORS headers
sixcolors Mar 20, 2024
394d962
docs(middleware/cors): table order and alignment
sixcolors Mar 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 13 additions & 10 deletions docs/api/middleware/cors.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,16 +110,18 @@ panic: [CORS] 'AllowCredentials' is true, but 'AllowOrigins' cannot be set to `"

gaby marked this conversation as resolved.
Show resolved Hide resolved
## Config

| Property | Type | Description | Default |
|:-----------------|:---------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------|
| Next | `func(fiber.Ctx) bool` | Next defines a function to skip this middleware when returned true. | `nil` |
| AllowOriginsFunc | `func(origin string) bool` | `AllowOriginsFunc` is a function that dynamically determines whether to allow a request based on its origin. If this function returns `true`, the 'Access-Control-Allow-Origin' response header will be set to the request's 'origin' header. This function is only used if the request's origin doesn't match any origin in `AllowOrigins`. | `nil` |
| AllowOrigins | `string` | AllowOrigins defines a comma separated list of origins that may access the resource. This supports subdomain matching, so you can use a value like "https://*.example.com" to allow any subdomain of example.com to submit requests. | `"*"` |
| AllowMethods | `string` | AllowMethods defines a list of methods allowed when accessing the resource. This is used in response to a preflight request. | `"GET,POST,HEAD,PUT,DELETE,PATCH"` |
| AllowHeaders | `string` | AllowHeaders defines a list of request headers that can be used when making the actual request. This is in response to a preflight request. | `""` |
| AllowCredentials | `bool` | AllowCredentials indicates whether or not the response to the request can be exposed when the credentials flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note: If true, AllowOrigins cannot be set to a wildcard (`"*"`) to prevent security vulnerabilities. | `false` |
| ExposeHeaders | `string` | ExposeHeaders defines whitelist headers that clients are allowed to access. | `""` |
| MaxAge | `int` | MaxAge indicates how long (in seconds) the results of a preflight request can be cached. If you pass MaxAge 0, the Access-Control-Max-Age header will not be added and the browser will use 5 seconds by default. To disable caching completely, pass MaxAge value negative. It will set the Access-Control-Max-Age header to 0. | `0` |
| Property | Type | Description | Default |
|:---------------------|:----------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------|
| AllowCredentials | `bool` | AllowCredentials indicates whether or not the response to the request can be exposed when the credentials flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note: If true, AllowOrigins cannot be set to a wildcard (`"*"`) to prevent security vulnerabilities. | `false` |
| AllowHeaders | `string` | AllowHeaders defines a list of request headers that can be used when making the actual request. This is in response to a preflight request. | `""` |
| AllowMethods | `string` | AllowMethods defines a list of methods allowed when accessing the resource. This is used in response to a preflight request. | `"GET,POST,HEAD,PUT,DELETE,PATCH"` |
| AllowOrigins | `string` | AllowOrigins defines a comma-separated list of origins that may access the resource. This supports subdomain matching, so you can use a value like "https://*.example.com" to allow any subdomain of example.com to submit requests. | `"*"` |
| AllowOriginsFunc | `func(origin string) bool` | `AllowOriginsFunc` is a function that dynamically determines whether to allow a request based on its origin. If this function returns `true`, the 'Access-Control-Allow-Origin' response header will be set to the request's 'origin' header. This function is only used if the request's origin doesn't match any origin in `AllowOrigins`. | `nil` |
| AllowPrivateNetwork | `bool` | Indicates whether the `Access-Control-Allow-Private-Network` response header should be set to `true`, allowing requests from private networks. This aligns with modern security practices for web applications interacting with private networks. | `false` |
| ExposeHeaders | `string` | ExposeHeaders defines whitelist headers that clients are allowed to access. | `""` |
| MaxAge | `int` | MaxAge indicates how long (in seconds) the results of a preflight request can be cached. If you pass MaxAge 0, the Access-Control-Max-Age header will not be added and the browser will use 5 seconds by default. To disable caching completely, pass MaxAge value negative. It will set the Access-Control-Max-Age header to 0. | `0` |
| Next | `func(fiber.Ctx) bool` | Next defines a function to skip this middleware when returned true. | `nil` |


## Default Config

Expand All @@ -140,6 +142,7 @@ var ConfigDefault = Config{
AllowCredentials: false,
ExposeHeaders: "",
MaxAge: 0,
AllowPrivateNetwork: false,
}
```

Expand Down
Loading
Loading