fix API handler to respect referer + exit on CORS

this commit makes the API handler short circuit the request if the CORS headers say its not allowed. (the CORS handler only sets the headers, but does not short-circuit) It also makes the handler respect the referer again. See security discussion at ipfs/kubo#1532 License: MIT Signed-off-by: Juan Batiz-Benet <juan@benet.ai> This commit was moved from ipfs/kubo@d5f94be
ipfs · Jul 29, 2015 · 7b098f2 · 7b098f2
1 parent c993cec
commit 7b098f2
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/gateway/core/corehttp/commands.go b/gateway/core/corehttp/commands.go
@@ -42,13 +42,13 @@ func addCORSFromEnv(c *cmdsHttp.ServerConfig) {
 func addHeadersFromConfig(c *cmdsHttp.ServerConfig, nc *config.Config) {
  log.Info("Using API.HTTPHeaders:", nc.API.HTTPHeaders)
 
- if acao := nc.API.HTTPHeaders["Access-Control-Allow-Origin"]; acao != nil {
+ if acao := nc.API.HTTPHeaders[cmdsHttp.ACAOrigin]; acao != nil {
  c.CORSOpts.AllowedOrigins = acao
  }
- if acam := nc.API.HTTPHeaders["Access-Control-Allow-Methods"]; acam != nil {
+ if acam := nc.API.HTTPHeaders[cmdsHttp.ACAMethods]; acam != nil {
  c.CORSOpts.AllowedMethods = acam
  }
- if acac := nc.API.HTTPHeaders["Access-Control-Allow-Credentials"]; acac != nil {
+ if acac := nc.API.HTTPHeaders[cmdsHttp.ACACredentials]; acac != nil {
  for _, v := range acac {
  c.CORSOpts.AllowCredentials = (strings.ToLower(v) == "true")
  }