Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce cors.Config.AllowOriginRequestFunc #60

Merged
merged 1 commit into from
Aug 26, 2018
Merged

Conversation

aeneasr
Copy link
Contributor

@aeneasr aeneasr commented Aug 26, 2018

This patch introduces cors.Config.AllowOriginRequestFunc ( func (r *http.Request origin string) bool) which is a custom function to validate the origin. It takes the HTTP Request object and the origin as argument and returns true if allowed or false otherwise. If this option is set, the content of AllowedOrigins and AllowOriginFunc is ignored

Closes #59

This patch introduces cors.Config.AllowOriginRequestFunc ( `func (r *http.Request origin string) bool`) which is a custom function to validate the origin. It takes the HTTP Request object and the origin as argument and returns true if allowed or false otherwise. If this option is set, the content of `AllowedOrigins` and `AllowOriginFunc` is ignored

Closes rs#59

Signed-off-by: arekkas <aeneas@ory.am>
@aeneasr
Copy link
Contributor Author

aeneasr commented Aug 26, 2018

THanks!

@jub0bs
Copy link
Contributor

jub0bs commented Sep 19, 2022

I perceive AllowOriginRequestFunc as a misfeature, because it opens the door to cache poisoning: users have indeed no way of listing the names of whatever request headers they use in AllowOriginRequestFunc to the Vary header.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Pass r *http.Request to AllowOriginFunc
3 participants