func TestMatchOrigin(t *testing.T) { data := []struct { Origin string Spec string Result bool }{ {"http://example.com", "*", true}, {"http://example.com", "http://example.com", true}, {"http://example.com", "https://example.com", false}, {"http://test.example.com", "*.example.com", true}, {"http://test.example.com:80", "*.example.com", false}, {"http://test.example.com:80", "http://test.example.com*", true}, } for _, test := range data { result := cors.MatchOrigin(test.Origin, test.Spec) if result != test.Result { t.Errorf("cors.MatchOrigin(%s, %s) should return %t", test.Origin, test.Spec, test.Result) } } }
// handleSpecOrigin applies the CORS response headers corresponding to the origin. func handleSpecOrigin(h goa.Handler) goa.Handler { return func(ctx context.Context, rw http.ResponseWriter, req *http.Request) error { origin := req.Header.Get("Origin") if origin == "" { // Not a CORS request return h(ctx, rw, req) } if cors.MatchOrigin(origin, "*") { ctx = goa.WithLogContext(ctx, "origin", origin) rw.Header().Set("Access-Control-Allow-Origin", origin) rw.Header().Set("Access-Control-Allow-Credentials", "false") if acrm := req.Header.Get("Access-Control-Request-Method"); acrm != "" { // We are handling a preflight request rw.Header().Set("Access-Control-Allow-Methods", "GET") } return h(ctx, rw, req) } return h(ctx, rw, req) } }