.. | ||
examples | ||
wrapper/gin | ||
.travis.yml | ||
bench_test.go | ||
cors_test.go | ||
cors.go | ||
go.mod | ||
LICENSE | ||
README.md | ||
utils_test.go | ||
utils.go |
Go CORS handler
CORS is a net/http
handler implementing Cross Origin Resource Sharing W3 specification in Golang.
Getting Started
After installing Go and setting up your GOPATH, create your first .go
file. We'll call it server.go
.
package main
import (
"net/http"
"github.com/rs/cors"
)
func main() {
mux := http.NewServeMux()
mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
w.Write([]byte("{\"hello\": \"world\"}"))
})
// cors.Default() setup the middleware with default options being
// all origins accepted with simple methods (GET, POST). See
// documentation below for more options.
handler := cors.Default().Handler(mux)
http.ListenAndServe(":8080", handler)
}
Install cors
:
go get github.com/rs/cors
Then run your server:
go run server.go
The server now runs on localhost:8080
:
$ curl -D - -H 'Origin: http://foo.com' http://localhost:8080/
HTTP/1.1 200 OK
Access-Control-Allow-Origin: foo.com
Content-Type: application/json
Date: Sat, 25 Oct 2014 03:43:57 GMT
Content-Length: 18
{"hello": "world"}
Allow * With Credentials Security Protection
This library has been modified to avoid a well known security issue when configured with AllowedOrigins
to *
and AllowCredentials
to true
. Such setup used to make the library reflects the request Origin
header value, working around a security protection embedded into the standard that makes clients to refuse such configuration. This behavior has been removed with #55 and #57.
If you depend on this behavior and understand the implications, you can restore it using the AllowOriginFunc
with func(origin string) {return true}
.
Please refer to #55 for more information about the security implications.
More Examples
net/http
: examples/nethttp/server.go- Goji: examples/goji/server.go
- Martini: examples/martini/server.go
- Negroni: examples/negroni/server.go
- Alice: examples/alice/server.go
- HttpRouter: examples/httprouter/server.go
- Gorilla: examples/gorilla/server.go
- Buffalo: examples/buffalo/server.go
- Gin: examples/gin/server.go
Parameters
Parameters are passed to the middleware thru the cors.New
method as follow:
c := cors.New(cors.Options{
AllowedOrigins: []string{"http://foo.com", "http://foo.com:8080"},
AllowCredentials: true,
// Enable Debugging for testing, consider disabling in production
Debug: true,
})
// Insert the middleware
handler = c.Handler(handler)
- AllowedOrigins
[]string
: A list of origins a cross-domain request can be executed from. If the special*
value is present in the list, all origins will be allowed. An origin may contain a wildcard (*
) to replace 0 or more characters (i.e.:http://*.domain.com
). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin. The default value is*
. - AllowOriginFunc
func (origin string) bool
: A custom function to validate the origin. It take the origin as argument and returns true if allowed or false otherwise. If this option is set, the content ofAllowedOrigins
is ignored - AllowedMethods
[]string
: A list of methods the client is allowed to use with cross-domain requests. Default value is simple methods (GET
andPOST
). - AllowedHeaders
[]string
: A list of non simple headers the client is allowed to use with cross-domain requests. - ExposedHeaders
[]string
: Indicates which headers are safe to expose to the API of a CORS API specification - AllowCredentials
bool
: Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates. The default isfalse
. - MaxAge
int
: Indicates how long (in seconds) the results of a preflight request can be cached. The default is0
which stands for no max age. - OptionsPassthrough
bool
: Instructs preflight to let other potential next handlers to process theOPTIONS
method. Turn this on if your application handlesOPTIONS
. - Debug
bool
: Debugging flag adds additional output to debug server side CORS issues.
See API documentation for more info.
Benchmarks
BenchmarkWithout 20000000 64.6 ns/op 8 B/op 1 allocs/op
BenchmarkDefault 3000000 469 ns/op 114 B/op 2 allocs/op
BenchmarkAllowedOrigin 3000000 608 ns/op 114 B/op 2 allocs/op
BenchmarkPreflight 20000000 73.2 ns/op 0 B/op 0 allocs/op
BenchmarkPreflightHeader 20000000 73.6 ns/op 0 B/op 0 allocs/op
BenchmarkParseHeaderList 2000000 847 ns/op 184 B/op 6 allocs/op
BenchmarkParse…Single 5000000 290 ns/op 32 B/op 3 allocs/op
BenchmarkParse…Normalized 2000000 776 ns/op 160 B/op 6 allocs/op
Licenses
All source code is licensed under the MIT License.