Refactor wildcard out of CORS headers (#81)

Changes to CORS functionality: - `Access-Control-Allow-Origin: *` is set for all requests - for pre-flight OPTIONS requests - specify methods: `Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS` - if the client sent `Access-Control-Request-Headers` then echo back the same value in `Access-Control-Allow-Headers`. If no `Access-Control-Request-Headers` were sent, then send back a default set - set `Access-Control-Max-Age: 86400` to that may improve performance - Add CORS tests to the proxy-manager
2025-03-25 15:24:43 -07:00
parent 680af28bcc
commit 84e2c07a7e
2 changed files with 108 additions and 5 deletions
--- a/proxy/proxymanager.go
+++ b/proxy/proxymanager.go
@@ -72,13 +72,26 @@ func New(config *Config) *ProxyManager {
 		})
 	}

-	// see: https://github.com/mostlygeek/llama-swap/issues/42
+	// see: issue: #81, #77 and #42 for CORS issues
 	// respond with permissive OPTIONS for any endpoint
 	pm.ginEngine.Use(func(c *gin.Context) {
+
+		// set this for all requests
+		c.Header("Access-Control-Allow-Origin", "*")
+
 		if c.Request.Method == "OPTIONS" {
-			c.Header("Access-Control-Allow-Origin", "*")
-			c.Header("Access-Control-Allow-Methods", "*")
-			c.Header("Access-Control-Allow-Headers", "*")
+			c.Header("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
+
+			// allow whatever the client requested by default
+			if headers := c.Request.Header.Get("Access-Control-Request-Headers"); headers != "" {
+				c.Header("Access-Control-Allow-Headers", headers)
+			} else {
+				c.Header(
+					"Access-Control-Allow-Headers",
+					"Content-Type, Authorization, Accept, X-Requested-With",
+				)
+			}
+			c.Header("Access-Control-Max-Age", "86400")
 			c.AbortWithStatus(http.StatusNoContent)
 			return
 		}