Add configuration for CORS allowed headers (#21747)

drewmnoel · KN4CK3R · jolheiser · web-flow · commit 2cbea23d700d · 2022-11-11T14:39:27.000+08:00
This PR enhances the CORS middleware usage by allowing for the headers to be configured in `app.ini`. Fixes #21746 Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: John Olheiser <john.olheiser@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
@@ -1138,6 +1138,9 @@ ROUTER = console
 ;; allow request with credentials
 ;ALLOW_CREDENTIALS = false
 ;;
+;; headers to permit
+;HEADERS = Content-Type,User-Agent
+;;
 ;; set X-FRAME-OPTIONS header
 ;X_FRAME_OPTIONS = SAMEORIGIN
 
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -200,6 +200,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request
 - `MAX_AGE`: **10m**: max time to cache response
 - `ALLOW_CREDENTIALS`: **false**: allow request with credentials
+- `HEADERS`: **Content-Type,User-Agent**: additional headers that are permitted in requests
 - `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value.
 
 ## UI (`ui`)
diff --git a/modules/setting/cors.go b/modules/setting/cors.go
@@ -19,10 +19,12 @@ var CORSConfig = struct {
 	Methods          []string
 	MaxAge           time.Duration
 	AllowCredentials bool
+	Headers          []string
 	XFrameOptions    string
 }{
 	Enabled:       false,
 	MaxAge:        10 * time.Minute,
+	Headers:       []string{"Content-Type", "User-Agent"},
 	XFrameOptions: "SAMEORIGIN",
 }
 
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
@@ -617,7 +617,7 @@ func Routes(ctx gocontext.Context) *web.Route {
 			// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
 			AllowedMethods:   setting.CORSConfig.Methods,
 			AllowCredentials: setting.CORSConfig.AllowCredentials,
-			AllowedHeaders:   []string{"Authorization", "X-Gitea-OTP"},
+			AllowedHeaders:   append([]string{"Authorization", "X-Gitea-OTP"}, setting.CORSConfig.Headers...),
 			MaxAge:           int(setting.CORSConfig.MaxAge.Seconds()),
 		}))
 	}
diff --git a/routers/web/web.go b/routers/web/web.go
@@ -67,6 +67,7 @@ func CorsHandler() func(next http.Handler) http.Handler {
 			// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
 			AllowedMethods:   setting.CORSConfig.Methods,
 			AllowCredentials: setting.CORSConfig.AllowCredentials,
+			AllowedHeaders:   setting.CORSConfig.Headers,
 			MaxAge:           int(setting.CORSConfig.MaxAge.Seconds()),
 		})
 	}

Original file line number	Diff line number	Diff line change
`@@ -617,7 +617,7 @@ func Routes(ctx gocontext.Context) *web.Route {`
`617`	`617`	`// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option`
`618`	`618`	`AllowedMethods: setting.CORSConfig.Methods,`
`619`	`619`	`AllowCredentials: setting.CORSConfig.AllowCredentials,`
`620`		`- AllowedHeaders: []string{"Authorization", "X-Gitea-OTP"},`
	`620`	`+ AllowedHeaders: append([]string{"Authorization", "X-Gitea-OTP"}, setting.CORSConfig.Headers...),`
`621`	`621`	`MaxAge: int(setting.CORSConfig.MaxAge.Seconds()),`
`622`	`622`	`}))`
`623`	`623`	`}`
Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,7 @@ func CorsHandler() func(next http.Handler) http.Handler {`
`67`	`67`	`// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option`
`68`	`68`	`AllowedMethods: setting.CORSConfig.Methods,`
`69`	`69`	`AllowCredentials: setting.CORSConfig.AllowCredentials,`
	`70`	`+ AllowedHeaders: setting.CORSConfig.Headers,`
`70`	`71`	`MaxAge: int(setting.CORSConfig.MaxAge.Seconds()),`
`71`	`72`	`})`
`72`	`73`	`}`