F5KCK
/
hugo-mx-gateway
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Send Origin back as Access-Control-Allow-Origin 

Rationale: At this point, we have already verified that the Origin is
allowed. Some clients, e.g. those that submit a form using AJAX, will
expect a CORS header allowing the request. Instead of setting
Access-Control-Allow-Origin *, or setting the header to all allowed
origins (thus leaking a list of sites that use the gateway), we can
thus simply set the same Origin the browser identifies with.
This commit is contained in:
Dominik George 2022-04-28 23:41:39 +02:00
parent 477643b58e
commit d58a99ae33
No known key found for this signature in database
GPG Key ID: 0AE554E5460E1BDD
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sendmail.go
View File

@ -176,6 +176,9 @@ func MuxSecAllowedDomainsHandler(next http.Handler) http.Handler {
return return
} }
// Send the allowed origin back as CORS header
w.Header().Set("Access-Control-Allow-Origin", r.Header["Origin"][0])
next.ServeHTTP(w, r) next.ServeHTTP(w, r)
}) })
} }