Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(middleware/cors): Add support for Access-Control-Allow-Private-Network #2908

Merged
merged 17 commits into from
Mar 22, 2024
Merged
Show file tree
Hide file tree
Changes from 14 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/api/middleware/cors.md
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,9 @@ panic: [CORS] 'AllowCredentials' is true, but 'AllowOrigins' cannot be set to `"
| ExposeHeaders | `string` | ExposeHeaders defines whitelist headers that clients are allowed to access. | `""` |
| MaxAge | `int` | MaxAge indicates how long (in seconds) the results of a preflight request can be cached. If you pass MaxAge 0, the Access-Control-Max-Age header will not be added and the browser will use 5 seconds by default. To disable caching completely, pass MaxAge value negative. It will set the Access-Control-Max-Age header to 0. | `0` |

gaby marked this conversation as resolved.
Show resolved Hide resolved
| `AllowPrivateNetwork` | `bool` | Indicates whether the `Access-Control-Allow-Private-Network` response header should be set to `true`, allowing requests from private networks. This aligns with modern security practices for web applications interacting with private networks. |
sixcolors marked this conversation as resolved.
Show resolved Hide resolved


## Default Config

```go
Expand All @@ -140,6 +143,7 @@ var ConfigDefault = Config{
AllowCredentials: false,
ExposeHeaders: "",
MaxAge: 0,
AllowPrivateNetwork: false,
}
```

Expand Down
245 changes: 123 additions & 122 deletions helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -856,128 +856,129 @@ var (

// HTTP Headers were copied from net/http.
const (
HeaderAuthorization = "Authorization"
HeaderProxyAuthenticate = "Proxy-Authenticate"
HeaderProxyAuthorization = "Proxy-Authorization"
HeaderWWWAuthenticate = "WWW-Authenticate"
HeaderAge = "Age"
HeaderCacheControl = "Cache-Control"
HeaderClearSiteData = "Clear-Site-Data"
HeaderExpires = "Expires"
HeaderPragma = "Pragma"
HeaderWarning = "Warning"
HeaderAcceptCH = "Accept-CH"
HeaderAcceptCHLifetime = "Accept-CH-Lifetime"
HeaderContentDPR = "Content-DPR"
HeaderDPR = "DPR"
HeaderEarlyData = "Early-Data"
HeaderSaveData = "Save-Data"
HeaderViewportWidth = "Viewport-Width"
HeaderWidth = "Width"
HeaderETag = "ETag"
HeaderIfMatch = "If-Match"
HeaderIfModifiedSince = "If-Modified-Since"
HeaderIfNoneMatch = "If-None-Match"
HeaderIfUnmodifiedSince = "If-Unmodified-Since"
HeaderLastModified = "Last-Modified"
HeaderVary = "Vary"
HeaderConnection = "Connection"
HeaderKeepAlive = "Keep-Alive"
HeaderAccept = "Accept"
HeaderAcceptCharset = "Accept-Charset"
HeaderAcceptEncoding = "Accept-Encoding"
HeaderAcceptLanguage = "Accept-Language"
HeaderCookie = "Cookie"
HeaderExpect = "Expect"
HeaderMaxForwards = "Max-Forwards"
HeaderSetCookie = "Set-Cookie"
HeaderAccessControlAllowCredentials = "Access-Control-Allow-Credentials"
HeaderAccessControlAllowHeaders = "Access-Control-Allow-Headers"
HeaderAccessControlAllowMethods = "Access-Control-Allow-Methods"
HeaderAccessControlAllowOrigin = "Access-Control-Allow-Origin"
HeaderAccessControlExposeHeaders = "Access-Control-Expose-Headers"
HeaderAccessControlMaxAge = "Access-Control-Max-Age"
HeaderAccessControlRequestHeaders = "Access-Control-Request-Headers"
HeaderAccessControlRequestMethod = "Access-Control-Request-Method"
HeaderOrigin = "Origin"
HeaderTimingAllowOrigin = "Timing-Allow-Origin"
HeaderXPermittedCrossDomainPolicies = "X-Permitted-Cross-Domain-Policies"
HeaderDNT = "DNT"
HeaderTk = "Tk"
HeaderContentDisposition = "Content-Disposition"
HeaderContentEncoding = "Content-Encoding"
HeaderContentLanguage = "Content-Language"
HeaderContentLength = "Content-Length"
HeaderContentLocation = "Content-Location"
HeaderContentType = "Content-Type"
HeaderForwarded = "Forwarded"
HeaderVia = "Via"
HeaderXForwardedFor = "X-Forwarded-For"
HeaderXForwardedHost = "X-Forwarded-Host"
HeaderXForwardedProto = "X-Forwarded-Proto"
HeaderXForwardedProtocol = "X-Forwarded-Protocol"
HeaderXForwardedSsl = "X-Forwarded-Ssl"
HeaderXUrlScheme = "X-Url-Scheme"
HeaderLocation = "Location"
HeaderFrom = "From"
HeaderHost = "Host"
HeaderReferer = "Referer"
HeaderReferrerPolicy = "Referrer-Policy"
HeaderUserAgent = "User-Agent"
HeaderAllow = "Allow"
HeaderServer = "Server"
HeaderAcceptRanges = "Accept-Ranges"
HeaderContentRange = "Content-Range"
HeaderIfRange = "If-Range"
HeaderRange = "Range"
HeaderContentSecurityPolicy = "Content-Security-Policy"
HeaderContentSecurityPolicyReportOnly = "Content-Security-Policy-Report-Only"
HeaderCrossOriginResourcePolicy = "Cross-Origin-Resource-Policy"
HeaderExpectCT = "Expect-CT"
HeaderPermissionsPolicy = "Permissions-Policy"
HeaderPublicKeyPins = "Public-Key-Pins"
HeaderPublicKeyPinsReportOnly = "Public-Key-Pins-Report-Only"
HeaderStrictTransportSecurity = "Strict-Transport-Security"
HeaderUpgradeInsecureRequests = "Upgrade-Insecure-Requests"
HeaderXContentTypeOptions = "X-Content-Type-Options"
HeaderXDownloadOptions = "X-Download-Options"
HeaderXFrameOptions = "X-Frame-Options"
HeaderXPoweredBy = "X-Powered-By"
HeaderXXSSProtection = "X-XSS-Protection"
HeaderLastEventID = "Last-Event-ID"
HeaderNEL = "NEL"
HeaderPingFrom = "Ping-From"
HeaderPingTo = "Ping-To"
HeaderReportTo = "Report-To"
HeaderTE = "TE"
HeaderTrailer = "Trailer"
HeaderTransferEncoding = "Transfer-Encoding"
HeaderSecWebSocketAccept = "Sec-WebSocket-Accept"
HeaderSecWebSocketExtensions = "Sec-WebSocket-Extensions"
HeaderSecWebSocketKey = "Sec-WebSocket-Key"
HeaderSecWebSocketProtocol = "Sec-WebSocket-Protocol"
HeaderSecWebSocketVersion = "Sec-WebSocket-Version"
HeaderAcceptPatch = "Accept-Patch"
HeaderAcceptPushPolicy = "Accept-Push-Policy"
HeaderAcceptSignature = "Accept-Signature"
HeaderAltSvc = "Alt-Svc"
HeaderDate = "Date"
HeaderIndex = "Index"
HeaderLargeAllocation = "Large-Allocation"
HeaderLink = "Link"
HeaderPushPolicy = "Push-Policy"
HeaderRetryAfter = "Retry-After"
HeaderServerTiming = "Server-Timing"
HeaderSignature = "Signature"
HeaderSignedHeaders = "Signed-Headers"
HeaderSourceMap = "SourceMap"
HeaderUpgrade = "Upgrade"
HeaderXDNSPrefetchControl = "X-DNS-Prefetch-Control"
HeaderXPingback = "X-Pingback"
HeaderXRequestID = "X-Request-ID"
HeaderXRequestedWith = "X-Requested-With"
HeaderXRobotsTag = "X-Robots-Tag"
HeaderXUACompatible = "X-UA-Compatible"
HeaderAuthorization = "Authorization"
HeaderProxyAuthenticate = "Proxy-Authenticate"
HeaderProxyAuthorization = "Proxy-Authorization"
HeaderWWWAuthenticate = "WWW-Authenticate"
HeaderAge = "Age"
HeaderCacheControl = "Cache-Control"
HeaderClearSiteData = "Clear-Site-Data"
HeaderExpires = "Expires"
HeaderPragma = "Pragma"
HeaderWarning = "Warning"
HeaderAcceptCH = "Accept-CH"
HeaderAcceptCHLifetime = "Accept-CH-Lifetime"
HeaderContentDPR = "Content-DPR"
HeaderDPR = "DPR"
HeaderEarlyData = "Early-Data"
HeaderSaveData = "Save-Data"
HeaderViewportWidth = "Viewport-Width"
HeaderWidth = "Width"
HeaderETag = "ETag"
HeaderIfMatch = "If-Match"
HeaderIfModifiedSince = "If-Modified-Since"
HeaderIfNoneMatch = "If-None-Match"
HeaderIfUnmodifiedSince = "If-Unmodified-Since"
HeaderLastModified = "Last-Modified"
HeaderVary = "Vary"
HeaderConnection = "Connection"
HeaderKeepAlive = "Keep-Alive"
HeaderAccept = "Accept"
HeaderAcceptCharset = "Accept-Charset"
HeaderAcceptEncoding = "Accept-Encoding"
HeaderAcceptLanguage = "Accept-Language"
HeaderCookie = "Cookie"
HeaderExpect = "Expect"
HeaderMaxForwards = "Max-Forwards"
HeaderSetCookie = "Set-Cookie"
HeaderAccessControlAllowCredentials = "Access-Control-Allow-Credentials"
HeaderAccessControlAllowHeaders = "Access-Control-Allow-Headers"
HeaderAccessControlAllowMethods = "Access-Control-Allow-Methods"
HeaderAccessControlAllowOrigin = "Access-Control-Allow-Origin"
HeaderAccessControlExposeHeaders = "Access-Control-Expose-Headers"
HeaderAccessControlMaxAge = "Access-Control-Max-Age"
HeaderAccessControlRequestHeaders = "Access-Control-Request-Headers"
HeaderAccessControlRequestMethod = "Access-Control-Request-Method"
HeaderOrigin = "Origin"
HeaderTimingAllowOrigin = "Timing-Allow-Origin"
HeaderXPermittedCrossDomainPolicies = "X-Permitted-Cross-Domain-Policies"
HeaderDNT = "DNT"
HeaderTk = "Tk"
HeaderContentDisposition = "Content-Disposition"
HeaderContentEncoding = "Content-Encoding"
HeaderContentLanguage = "Content-Language"
HeaderContentLength = "Content-Length"
HeaderContentLocation = "Content-Location"
HeaderContentType = "Content-Type"
HeaderForwarded = "Forwarded"
HeaderVia = "Via"
HeaderXForwardedFor = "X-Forwarded-For"
HeaderXForwardedHost = "X-Forwarded-Host"
HeaderXForwardedProto = "X-Forwarded-Proto"
HeaderXForwardedProtocol = "X-Forwarded-Protocol"
HeaderXForwardedSsl = "X-Forwarded-Ssl"
HeaderXUrlScheme = "X-Url-Scheme"
HeaderLocation = "Location"
HeaderFrom = "From"
HeaderHost = "Host"
HeaderReferer = "Referer"
HeaderReferrerPolicy = "Referrer-Policy"
HeaderUserAgent = "User-Agent"
HeaderAllow = "Allow"
HeaderServer = "Server"
HeaderAcceptRanges = "Accept-Ranges"
HeaderContentRange = "Content-Range"
HeaderIfRange = "If-Range"
HeaderRange = "Range"
HeaderContentSecurityPolicy = "Content-Security-Policy"
HeaderContentSecurityPolicyReportOnly = "Content-Security-Policy-Report-Only"
HeaderCrossOriginResourcePolicy = "Cross-Origin-Resource-Policy"
HeaderExpectCT = "Expect-CT"
HeaderPermissionsPolicy = "Permissions-Policy"
HeaderPublicKeyPins = "Public-Key-Pins"
HeaderPublicKeyPinsReportOnly = "Public-Key-Pins-Report-Only"
HeaderStrictTransportSecurity = "Strict-Transport-Security"
HeaderUpgradeInsecureRequests = "Upgrade-Insecure-Requests"
HeaderXContentTypeOptions = "X-Content-Type-Options"
HeaderXDownloadOptions = "X-Download-Options"
HeaderXFrameOptions = "X-Frame-Options"
HeaderXPoweredBy = "X-Powered-By"
HeaderXXSSProtection = "X-XSS-Protection"
HeaderLastEventID = "Last-Event-ID"
HeaderNEL = "NEL"
HeaderPingFrom = "Ping-From"
HeaderPingTo = "Ping-To"
HeaderReportTo = "Report-To"
HeaderTE = "TE"
HeaderTrailer = "Trailer"
HeaderTransferEncoding = "Transfer-Encoding"
HeaderSecWebSocketAccept = "Sec-WebSocket-Accept"
HeaderSecWebSocketExtensions = "Sec-WebSocket-Extensions"
HeaderSecWebSocketKey = "Sec-WebSocket-Key"
HeaderSecWebSocketProtocol = "Sec-WebSocket-Protocol"
HeaderSecWebSocketVersion = "Sec-WebSocket-Version"
HeaderAcceptPatch = "Accept-Patch"
HeaderAcceptPushPolicy = "Accept-Push-Policy"
HeaderAcceptSignature = "Accept-Signature"
HeaderAltSvc = "Alt-Svc"
HeaderDate = "Date"
HeaderIndex = "Index"
HeaderLargeAllocation = "Large-Allocation"
HeaderLink = "Link"
HeaderPushPolicy = "Push-Policy"
HeaderRetryAfter = "Retry-After"
HeaderServerTiming = "Server-Timing"
HeaderSignature = "Signature"
HeaderSignedHeaders = "Signed-Headers"
HeaderSourceMap = "SourceMap"
HeaderUpgrade = "Upgrade"
HeaderXDNSPrefetchControl = "X-DNS-Prefetch-Control"
HeaderXPingback = "X-Pingback"
HeaderXRequestID = "X-Request-ID"
HeaderXRequestedWith = "X-Requested-With"
HeaderXRobotsTag = "X-Robots-Tag"
HeaderXUACompatible = "X-UA-Compatible"
HeaderAccessControlAllowPrivateNetwork = "Access-Control-Allow-Private-Network"
gaby marked this conversation as resolved.
Show resolved Hide resolved
sixcolors marked this conversation as resolved.
Show resolved Hide resolved
)

// Network types that are commonly used
Expand Down
20 changes: 15 additions & 5 deletions middleware/cors/cors.go
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package cors

Check failure on line 1 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / lint

: # github.com/gofiber/fiber/v3/middleware/cors [github.com/gofiber/fiber/v3/middleware/cors.test]

Check failure on line 1 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / lint

: # github.com/gofiber/fiber/v3/middleware/cors [github.com/gofiber/fiber/v3/middleware/cors.test]

Check failure on line 1 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / lint

: # github.com/gofiber/fiber/v3/middleware/cors [github.com/gofiber/fiber/v3/middleware/cors.test]

Check failure on line 1 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / lint

: # github.com/gofiber/fiber/v3/middleware/cors [github.com/gofiber/fiber/v3/middleware/cors.test]

import (
"strconv"
Expand Down Expand Up @@ -63,6 +63,12 @@
//
// Optional. Default value 0.
MaxAge int

// AllowPrivateNetwork indicates whether the Access-Control-Allow-Private-Network
// response header should be set to true, allowing requests from private networks.
//
// Optional. Default value false.
AllowPrivateNetwork bool
}

// ConfigDefault is the default config
Expand All @@ -78,10 +84,11 @@
fiber.MethodDelete,
fiber.MethodPatch,
}, ","),
AllowHeaders: "",
AllowCredentials: false,
ExposeHeaders: "",
MaxAge: 0,
AllowHeaders: "",
AllowCredentials: false,
ExposeHeaders: "",
MaxAge: 0,
AllowPrivateNetwork: false,
}

// New creates a new middleware handler
Expand Down Expand Up @@ -211,7 +218,10 @@
// Preflight request
c.Vary(fiber.HeaderAccessControlRequestMethod)
c.Vary(fiber.HeaderAccessControlRequestHeaders)

if cfg.AllowPrivateNetwork && c.Get(fiber.HeaderAccessControlRequestPrivateNetwork) == "true" {

Check failure on line 221 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / Build (1.21.x, ubuntu-latest)

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 221 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / Build (1.21.x, ubuntu-latest)

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 221 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / Compare

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 221 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / lint

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 221 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / lint

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 221 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / lint

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 221 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / govulncheck-check

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 221 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / Build (1.21.x, macos-latest)

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 221 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / Build (1.22.x, ubuntu-latest)

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 221 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / Build (1.22.x, ubuntu-latest)

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 221 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / Build (1.22.x, macos-latest)

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 221 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / Build (1.22.x, macos-14)

undefined: fiber.HeaderAccessControlRequestPrivateNetwork
c.Vary(fiber.HeaderAccessControlRequestPrivateNetwork)

Check failure on line 222 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / Build (1.21.x, ubuntu-latest)

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 222 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / Build (1.21.x, ubuntu-latest)

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 222 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / Compare

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 222 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / lint

undefined: fiber.HeaderAccessControlRequestPrivateNetwork (typecheck)

Check failure on line 222 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / lint

undefined: fiber.HeaderAccessControlRequestPrivateNetwork (typecheck)

Check failure on line 222 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / lint

undefined: fiber.HeaderAccessControlRequestPrivateNetwork (typecheck)

Check failure on line 222 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / govulncheck-check

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 222 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / Build (1.21.x, macos-latest)

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 222 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / Build (1.22.x, ubuntu-latest)

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 222 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / Build (1.22.x, ubuntu-latest)

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 222 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / Build (1.22.x, macos-latest)

undefined: fiber.HeaderAccessControlRequestPrivateNetwork

Check failure on line 222 in middleware/cors/cors.go

View workflow job for this annotation

GitHub Actions / Build (1.22.x, macos-14)

undefined: fiber.HeaderAccessControlRequestPrivateNetwork
c.Set(fiber.HeaderAccessControlAllowPrivateNetwork, "true")
}
sixcolors marked this conversation as resolved.
Show resolved Hide resolved
setCORSHeaders(c, allowOrigin, allowMethods, allowHeaders, exposeHeaders, maxAge, cfg)

// Send 204 No Content
Expand Down
Loading
Loading