From b48d02f4a6850a2cdbbb25edcbbe7ea3be7cb802 Mon Sep 17 00:00:00 2001 From: Roman Khimov Date: Tue, 4 Oct 2022 21:50:46 +0300 Subject: [PATCH] rpcsrv: handle preflight OPTIONS with CORS kludge, fix #2721 --- pkg/services/rpcsrv/server.go | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/pkg/services/rpcsrv/server.go b/pkg/services/rpcsrv/server.go index 1b88b561b..15d24db4a 100644 --- a/pkg/services/rpcsrv/server.go +++ b/pkg/services/rpcsrv/server.go @@ -446,6 +446,13 @@ func (s *Server) handleHTTPRequest(w http.ResponseWriter, httpRequest *http.Requ return } + if httpRequest.Method == "OPTIONS" && s.config.EnableCORSWorkaround { // Preflight CORS. + setCORSOriginHeaders(w.Header()) + w.Header().Set("Access-Control-Allow-Methods", "GET, POST") // GET for websockets. + w.Header().Set("Access-Control-Max-Age", "21600") // 6 hours. + return + } + if httpRequest.Method != "POST" { s.writeHTTPErrorResponse( params.NewIn(), @@ -2733,6 +2740,11 @@ func (s *Server) writeHTTPErrorResponse(r *params.In, w http.ResponseWriter, jso s.writeHTTPServerResponse(¶ms.Request{In: r}, w, resp) } +func setCORSOriginHeaders(h http.Header) { + h.Set("Access-Control-Allow-Origin", "*") + h.Set("Access-Control-Allow-Headers", "Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With") +} + func (s *Server) writeHTTPServerResponse(r *params.Request, w http.ResponseWriter, resp abstractResult) { // Errors can happen in many places and we can only catch ALL of them here. resp.RunForErrors(func(jsonErr *neorpc.Error) { @@ -2746,8 +2758,7 @@ func (s *Server) writeHTTPServerResponse(r *params.Request, w http.ResponseWrite } w.Header().Set("Content-Type", "application/json; charset=utf-8") if s.config.EnableCORSWorkaround { - w.Header().Set("Access-Control-Allow-Origin", "*") - w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With") + setCORSOriginHeaders(w.Header()) } encoder := json.NewEncoder(w)