KurlesHS/rclone
1
0
Fork 0
forked from TrueCloudLab/rclone
Code Pull requests Activity

http: CORS should not be send if not set (#6433)

Browse source
This commit is contained in:
yuudi 2023-07-29 02:58:37 +00:00 committed by Nick Craig-Wood
parent e66675d346
commit f4449440f8
3 changed files with 51 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
fs/rc/rcserver/rcserver.go
View file

@ -212,11 +212,6 @@ func writeError(path string, in rc.Params, w http.ResponseWriter, err error, sta
func (s *Server) handler(w http.ResponseWriter, r *http.Request) { func (s *Server) handler(w http.ResponseWriter, r *http.Request) {
path := strings.TrimLeft(r.URL.Path, "/") path := strings.TrimLeft(r.URL.Path, "/")
// echo back access control headers client needs
//reqAccessHeaders := r.Header.Get("Access-Control-Request-Headers")
w.Header().Add("Access-Control-Request-Method", "POST, OPTIONS, GET, HEAD")
w.Header().Add("Access-Control-Allow-Headers", "authorization, Content-Type")
switch r.Method { switch r.Method {
case "POST": case "POST":
s.handlePost(w, r, path) s.handlePost(w, r, path)

8
lib/http/middleware.go
View file

@ -173,14 +173,10 @@ func MiddlewareCORS(allowOrigin string) Middleware {
if allowOrigin != "" { if allowOrigin != "" {
w.Header().Add("Access-Control-Allow-Origin", allowOrigin) w.Header().Add("Access-Control-Allow-Origin", allowOrigin)
} else { w.Header().Add("Access-Control-Request-Method", "POST, OPTIONS, GET, HEAD")
w.Header().Add("Access-Control-Allow-Origin", PublicURL(r)) w.Header().Add("Access-Control-Allow-Headers", "authorization, Content-Type")
} }
// echo back access control headers client needs
w.Header().Add("Access-Control-Request-Method", "POST, OPTIONS, GET, HEAD")
w.Header().Add("Access-Control-Allow-Headers", "authorization, Content-Type")
if r.Method == "OPTIONS" { if r.Method == "OPTIONS" {
w.WriteHeader(http.StatusOK) w.WriteHeader(http.StatusOK)
return return

56
lib/http/middleware_test.go
View file

@ -332,13 +332,6 @@ func TestMiddlewareCORS(t *testing.T) {
name string name string
http Config http Config
}{ }{
{
name: "EmptyOrigin",
http: Config{
ListenAddr: []string{"127.0.0.1:0"},
AllowOrigin: "",
},
},
{ {
name: "CustomOrigin", name: "CustomOrigin",
http: Config{ http: Config{
@ -389,6 +382,55 @@ func TestMiddlewareCORS(t *testing.T) {
} }
} }
func TestMiddlewareCORSEmptyOrigin(t *testing.T) {
servers := []struct {
name string
http Config
}{
{
name: "EmptyOrigin",
http: Config{
ListenAddr: []string{"127.0.0.1:0"},
AllowOrigin: "",
},
},
}
for _, ss := range servers {
t.Run(ss.name, func(t *testing.T) {
s, err := NewServer(context.Background(), WithConfig(ss.http))
require.NoError(t, err)
defer func() {
require.NoError(t, s.Shutdown())
}()
expected := []byte("data")
s.Router().Mount("/", testEchoHandler(expected))
s.Serve()
url := testGetServerURL(t, s)
client := &http.Client{}
req, err := http.NewRequest("GET", url, nil)
require.NoError(t, err)
resp, err := client.Do(req)
require.NoError(t, err)
defer func() {
_ = resp.Body.Close()
}()
require.Equal(t, http.StatusOK, resp.StatusCode, "should return ok")
testExpectRespBody(t, resp, expected)
for _, key := range _testCORSHeaderKeys {
require.NotContains(t, resp.Header, key, "CORS headers should not be sent")
}
})
}
}
func TestMiddlewareCORSWithAuth(t *testing.T) { func TestMiddlewareCORSWithAuth(t *testing.T) {
authServers := []struct { authServers := []struct {
name string name string