Add configuration for CORS allowed headers (#21747)

This PR enhances the CORS middleware usage by allowing for the headers
to be configured in `app.ini`.

Fixes #21746

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
Drew Noel 2022-11-11 01:39:27 -05:00 committed by GitHub
parent fb704f6c72
commit 2cbea23d70
Signed by: GitHub
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 8 additions and 1 deletions

@ -1138,6 +1138,9 @@ ROUTER = console
;; allow request with credentials
;ALLOW_CREDENTIALS = false
;;
;; headers to permit
;HEADERS = Content-Type,User-Agent
;;
;; set X-FRAME-OPTIONS header
;X_FRAME_OPTIONS = SAMEORIGIN

@ -200,6 +200,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
- `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request
- `MAX_AGE`: **10m**: max time to cache response
- `ALLOW_CREDENTIALS`: **false**: allow request with credentials
- `HEADERS`: **Content-Type,User-Agent**: additional headers that are permitted in requests
- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value.
## UI (`ui`)

@ -19,10 +19,12 @@ var CORSConfig = struct {
Methods []string
MaxAge time.Duration
AllowCredentials bool
Headers []string
XFrameOptions string
}{
Enabled: false,
MaxAge: 10 * time.Minute,
Headers: []string{"Content-Type", "User-Agent"},
XFrameOptions: "SAMEORIGIN",
}

@ -617,7 +617,7 @@ func Routes(ctx gocontext.Context) *web.Route {
// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
AllowedMethods: setting.CORSConfig.Methods,
AllowCredentials: setting.CORSConfig.AllowCredentials,
AllowedHeaders: []string{"Authorization", "X-Gitea-OTP"},
AllowedHeaders: append([]string{"Authorization", "X-Gitea-OTP"}, setting.CORSConfig.Headers...),
MaxAge: int(setting.CORSConfig.MaxAge.Seconds()),
}))
}

@ -67,6 +67,7 @@ func CorsHandler() func(next http.Handler) http.Handler {
// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
AllowedMethods: setting.CORSConfig.Methods,
AllowCredentials: setting.CORSConfig.AllowCredentials,
AllowedHeaders: setting.CORSConfig.Headers,
MaxAge: int(setting.CORSConfig.MaxAge.Seconds()),
})
}