Skip to content

Add configuration for CORS allowed headers #21747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Nov 11, 2022
Merged

Add configuration for CORS allowed headers #21747

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7ff2217
Add configuration for CORS allowed headers
drewmnoel Nov 9, 2022
f4d687d
Address feedback
drewmnoel Nov 10, 2022
260893a
Remove duplicate header from example
drewmnoel Nov 10, 2022
ec1ad4d
Prevent accidental slice clobbering in CORS header
drewmnoel Nov 10, 2022
37006e1
Merge branch 'main' into allow-configured-cors-headers
jolheiser Nov 10, 2022
3ca8ee9
Merge branch 'main' into allow-configured-cors-headers
lunny Nov 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions custom/conf/app.example.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1104,6 +1104,9 @@ ROUTER = console
;; allow request with credentials
;ALLOW_CREDENTIALS = false
;;
;; headers to permit
;HEADERS = Authorization,Content-Type,User-Agent
;;
;; set X-FRAME-OPTIONS header
;X_FRAME_OPTIONS = SAMEORIGIN

Expand Down
1 change: 1 addition & 0 deletions docs/content/doc/advanced/config-cheat-sheet.en-us.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
- `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request
- `MAX_AGE`: **10m**: max time to cache response
- `ALLOW_CREDENTIALS`: **false**: allow request with credentials
- `HEADERS`: **Content-Type,User-Agent**: additional headers that are permitted in requests
- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value.

## UI (`ui`)
Expand Down
2 changes: 2 additions & 0 deletions modules/setting/cors.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,12 @@ var CORSConfig = struct {
Methods []string
MaxAge time.Duration
AllowCredentials bool
Headers []string
XFrameOptions string
}{
Enabled: false,
MaxAge: 10 * time.Minute,
Headers: []string{"Content-Type", "User-Agent"},
XFrameOptions: "SAMEORIGIN",
}

Expand Down
2 changes: 1 addition & 1 deletion routers/api/v1/api.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -617,7 +617,7 @@ func Routes(ctx gocontext.Context) *web.Route {
// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
AllowedMethods: setting.CORSConfig.Methods,
AllowCredentials: setting.CORSConfig.AllowCredentials,
AllowedHeaders: []string{"Authorization", "X-Gitea-OTP"},
AllowedHeaders: append(setting.CORSConfig.Headers, "Authorization", "X-Gitea-OTP"),
MaxAge: int(setting.CORSConfig.MaxAge.Seconds()),
}))
}
Expand Down
1 change: 1 addition & 0 deletions routers/web/web.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ func CorsHandler() func(next http.Handler) http.Handler {
// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
AllowedMethods: setting.CORSConfig.Methods,
AllowCredentials: setting.CORSConfig.AllowCredentials,
AllowedHeaders: setting.CORSConfig.Headers,
MaxAge: int(setting.CORSConfig.MaxAge.Seconds()),
})
}
Expand Down