forgejo/modules/setting/cors.go
wxiaoguang 7a2786ca6c
Refactor CORS handler (#28587) (#28611)
Backport #28587, the only conflict is the test file.

The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix #28515
Fix #27642
Fix #17098
2023-12-25 21:01:24 +08:00

34 lines
973 B
Go

// Copyright 2019 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package setting
import (
"time"
"code.gitea.io/gitea/modules/log"
)
// CORSConfig defines CORS settings
var CORSConfig = struct {
Enabled bool
AllowDomain []string // FIXME: this option is from legacy code, it actually works as "AllowedOrigins". When refactoring in the future, the config option should also be renamed together.
Methods []string
MaxAge time.Duration
AllowCredentials bool
Headers []string
XFrameOptions string
}{
AllowDomain: []string{"*"},
Methods: []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
Headers: []string{"Content-Type", "User-Agent"},
MaxAge: 10 * time.Minute,
XFrameOptions: "SAMEORIGIN",
}
func loadCorsFrom(rootCfg ConfigProvider) {
mustMapSetting(rootCfg, "cors", &CORSConfig)
if CORSConfig.Enabled {
log.Info("CORS Service Enabled")
}
}