diff options
Diffstat (limited to 'vendor/go.mau.fi/util/exhttp/cors.go')
-rw-r--r-- | vendor/go.mau.fi/util/exhttp/cors.go | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/vendor/go.mau.fi/util/exhttp/cors.go b/vendor/go.mau.fi/util/exhttp/cors.go new file mode 100644 index 0000000..037be8d --- /dev/null +++ b/vendor/go.mau.fi/util/exhttp/cors.go @@ -0,0 +1,26 @@ +package exhttp + +import "net/http" + +func AddCORSHeaders(w http.ResponseWriter) { + // Recommended CORS headers can be found in https://spec.matrix.org/v1.3/client-server-api/#web-browser-clients + w.Header().Set("Access-Control-Allow-Origin", "*") + w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS") + w.Header().Set("Access-Control-Allow-Headers", "X-Requested-With, Content-Type, Authorization") + w.Header().Set("Content-Security-Policy", "sandbox; default-src 'none'; script-src 'none'; plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self';") + // Allow browsers to cache above for 1 day + w.Header().Set("Access-Control-Max-Age", "86400") +} + +// CORSMiddleware adds CORS headers to the response and handles OPTIONS +// requests by returning 200 OK immediately. +func CORSMiddleware(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + AddCORSHeaders(w) + if r.Method == http.MethodOptions { + w.WriteHeader(http.StatusOK) + return + } + next.ServeHTTP(w, r) + }) +} |