• Stars
    star
    2,625
  • Rank 17,445 (Top 0.4 %)
  • Language
    Go
  • License
    MIT License
  • Created about 10 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Go net/http configurable handler to handle CORS requests

Go CORS handler godoc license Go Coverage

CORS is a net/http handler implementing Cross Origin Resource Sharing W3 specification in Golang.

Getting Started

After installing Go and setting up your GOPATH, create your first .go file. We'll call it server.go.

package main

import (
    "net/http"

    "github.com/rs/cors"
)

func main() {
    mux := http.NewServeMux()
    mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("Content-Type", "application/json")
        w.Write([]byte("{\"hello\": \"world\"}"))
    })

    // cors.Default() setup the middleware with default options being
    // all origins accepted with simple methods (GET, POST). See
    // documentation below for more options.
    handler := cors.Default().Handler(mux)
    http.ListenAndServe(":8080", handler)
}

Install cors:

go get github.com/rs/cors

Then run your server:

go run server.go

The server now runs on localhost:8080:

$ curl -D - -H 'Origin: http://foo.com' http://localhost:8080/
HTTP/1.1 200 OK
Access-Control-Allow-Origin: foo.com
Content-Type: application/json
Date: Sat, 25 Oct 2014 03:43:57 GMT
Content-Length: 18

{"hello": "world"}

Allow * With Credentials Security Protection

This library has been modified to avoid a well known security issue when configured with AllowedOrigins to * and AllowCredentials to true. Such setup used to make the library reflects the request Origin header value, working around a security protection embedded into the standard that makes clients to refuse such configuration. This behavior has been removed with #55 and #57.

If you depend on this behavior and understand the implications, you can restore it using the AllowOriginFunc with func(origin string) {return true}.

Please refer to #55 for more information about the security implications.

More Examples

Parameters

Parameters are passed to the middleware thru the cors.New method as follow:

c := cors.New(cors.Options{
    AllowedOrigins: []string{"http://foo.com", "http://foo.com:8080"},
    AllowCredentials: true,
    // Enable Debugging for testing, consider disabling in production
    Debug: true,
})

// Insert the middleware
handler = c.Handler(handler)
  • AllowedOrigins []string: A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin. The default value is *.
  • AllowOriginFunc func (origin string) bool: A custom function to validate the origin. It takes the origin as an argument and returns true if allowed, or false otherwise. If this option is set, the content of AllowedOrigins is ignored.
  • AllowOriginRequestFunc func (r *http.Request, origin string) bool: A custom function to validate the origin. It takes the HTTP Request object and the origin as argument and returns true if allowed or false otherwise. If this option is set, the contents of AllowedOrigins and AllowOriginFunc are ignored. Deprecated: use AllowOriginVaryRequestFunc instead.
  • AllowOriginVaryRequestFunc func(r *http.Request, origin string) (bool, []string): A custom function to validate the origin. It takes the HTTP Request object and the origin as argument and returns true if allowed or false otherwise with a list of headers used to take that decision if any so they can be added to the Vary header. If this option is set, the contents of AllowedOrigins, AllowOriginFunc and AllowOriginRequestFunc are ignored.
  • AllowedMethods []string: A list of methods the client is allowed to use with cross-domain requests. Default value is simple methods (GET and POST).
  • AllowedHeaders []string: A list of non simple headers the client is allowed to use with cross-domain requests.
  • ExposedHeaders []string: Indicates which headers are safe to expose to the API of a CORS API specification.
  • AllowCredentials bool: Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates. The default is false.
  • AllowPrivateNetwork bool: Indicates whether to accept cross-origin requests over a private network.
  • MaxAge int: Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.
  • OptionsPassthrough bool: Instructs preflight to let other potential next handlers to process the OPTIONS method. Turn this on if your application handles OPTIONS.
  • OptionsSuccessStatus int: Provides a status code to use for successful OPTIONS requests. Default value is http.StatusNoContent (204).
  • Debug bool: Debugging flag adds additional output to debug server side CORS issues.

See API documentation for more info.

Benchmarks

goos: darwin
goarch: arm64
pkg: github.com/rs/cors
BenchmarkWithout-10            	135325480	         8.124 ns/op	       0 B/op	       0 allocs/op
BenchmarkDefault-10            	24082140	        51.40 ns/op	       0 B/op	       0 allocs/op
BenchmarkAllowedOrigin-10      	16424518	        88.25 ns/op	       0 B/op	       0 allocs/op
BenchmarkPreflight-10          	 8010259	       147.3 ns/op	       0 B/op	       0 allocs/op
BenchmarkPreflightHeader-10    	 6850962	       175.0 ns/op	       0 B/op	       0 allocs/op
BenchmarkWildcard/match-10     	253275342	         4.714 ns/op	       0 B/op	       0 allocs/op
BenchmarkWildcard/too_short-10 	1000000000	         0.6235 ns/op	       0 B/op	       0 allocs/op
PASS
ok  	github.com/rs/cors	99.131s

Licenses

All source code is licensed under the MIT License.

More Repositories

1

zerolog

Zero Allocation JSON Logger
Go
10,343
star
2

xid

xid is a globally unique id generator thought for the web
Go
3,874
star
3

curlie

The power of curl, the ease of use of httpie.
Go
2,808
star
4

rest-layer

REST Layer, Go (golang) REST API framework
Go
1,257
star
5

SDSegmentedControl

A drop-in remplacement for UISegmentedControl that mimic iOS 6 AppStore tab controls
Objective-C
1,200
star
6

pushd

Blazing fast multi-protocol mobile and web push notification service
CoffeeScript
1,162
star
7

jplot

iTerm2 expvar/JSON monitoring tool
Go
1,140
star
8

SDAVAssetExportSession

AVAssetExportSession drop-in replacement with customizable audio&video settings
Objective-C
800
star
9

SDURLCache

URLCache subclass with on-disk cache support on iPhone/iPad
Objective-C
798
star
10

SafariTabSwitching

A SIMBL plugin for Safari 5.1 allowing tab switching by index (using Cmd-1, Cmd-2…)
Objective-C
472
star
11

jaggr

JSON Aggregation CLI
Go
460
star
12

SafariOmnibar

Safari plugin to add Chrome like omnibar in Safari
Objective-C
416
star
13

dnstrace

DNS resolution tracing tool
Go
270
star
14

dnscache

DNS lookup cache for Go
Go
267
star
15

node-netmask

Parse and lookup IP network blocks
CoffeeScript
253
star
16

xhandler

XHandler is a bridge between net/context and http.Handler
Go
233
star
17

xlog

xlog is a logger for net/context aware HTTP applications
Go
138
star
18

seamless

Seamless restart / zero-downtime deploy for Go servers
Go
107
star
19

xmux

xmux is a httprouter fork on top of xhandler (net/context aware)
Go
98
star
20

vast

Golang VAST 3.0 library
Go
83
star
21

xstats

xstats is a generic client for service instrumentation
Go
82
star
22

gls

A graphical ls command for iTerm2 with icons
Swift
78
star
23

SDNetworkActivityIndicator

Handle show/hiding of the iOS network activity indicator
Objective-C
75
star
24

zkfarmer

ZkFarmer is a set of tools to easily manage distributed server farms using Apache ZooKeeper
Python
74
star
25

logbench

Golang logging library benchmarks
Go
69
star
26

dashplay

Easy dashboard screen management
HTML
67
star
27

SDAdvancedWebView

Add some handy features to you UIWebViews
Objective-C
49
star
28

eve-auth-jwt

Eve OAuth 2.0 JWT token validation authentication module
Python
46
star
29

domcheck

A Python library to validate the ownership of a domain using different strategies
Python
45
star
30

iris-ice

Iris keyboard build with custom case
43
star
31

scanman

ScanSnap manager for Raspberry Pi
Python
40
star
32

formjson

Go net/http handler to transparently manage posted JSON
Go
39
star
33

moquette

MQTT service dispatcher
Go
38
star
34

SDReachability

Easy to use and to embed Reachability library
Objective-C
36
star
35

golp

Go panic logger
Go
27
star
36

xaccess

Go http handler access logger
Go
20
star
37

tzsp

TaZmen Sniffer Protocol (TZSP) parser in Go
Go
20
star
38

rest-layer-mongo

REST Layer MongoDB resource storage handler
Go
18
star
39

audience-meter

Lightweight server to mesure audience of a live event
JavaScript
17
star
40

node-dnsstamp

DNS Stamp encoding/decoding library for node
TypeScript
15
star
41

net-server-mail

Extensible Perl implementation of the STMP protocol and its different evolutions (ie: ESMTP, LMTP)
Perl
15
star
42

vmap

Golang VMAP 1.0 library
Go
14
star
43

SDSRTParser

Objective-C SRT subtitle parser
Objective-C
13
star
44

mysql-genocide

Parallel operations on MySQL processlist
Perl
11
star
45

dnsdump

DNS Packet Dump
Go
10
star
46

pinba_http

Pinba HTTP Gateway
Python
8
star
47

gh-readme

Githup pages template for projects README
CSS
7
star
48

rest-layer-es

REST Layer ElasticSearch resource storage handler
Go
6
star
49

mydbd

A mysqli OO interface with PEAR::DB API compatibility
PHP
5
star
50

local-ip

Go
4
star
51

rest-layer-mem

REST Layer memory storage handler
Go
4
star
52

homebrew-tap

rs homebrew packages
Ruby
3
star
53

xlog-nsq

XLog to NSQ Output
Go
3
star
54

rest-layer-hystrix

REST Layer Hystrix storage handler wrapper
Go
3
star
55

rrdpoller

Easily query and perform threshold tests on RRD files data
Perl
3
star
56

rrdcollect-remote

Collect rrdcollect output from several hosts to update local RRD files
Perl
2
star
57

SiriDailymotion

AssistantExtensions plugin to integrate Dailymotion to Siri on Jailbroken iPhone 4s
Objective-C
2
star
58

proxy

A simple HTTP explicit forward proxy http.Handler
Go
2
star
59

gcs-oauth2-boto-env-plugin

Google Storage auth2 plugin with support for passing service key via environment
Python
2
star
60

rs.github.com

1
star
61

obfu

Go
1
star