From 2cbea23d700df9a45899e5de40e93e1a73354ce1 Mon Sep 17 00:00:00 2001 From: Drew Noel Date: Fri, 11 Nov 2022 01:39:27 -0500 Subject: [PATCH] Add configuration for CORS allowed headers (#21747) This PR enhances the CORS middleware usage by allowing for the headers to be configured in `app.ini`. Fixes #21746 Co-authored-by: KN4CK3R Co-authored-by: John Olheiser Co-authored-by: Lunny Xiao --- custom/conf/app.example.ini | 3 +++ docs/content/doc/advanced/config-cheat-sheet.en-us.md | 1 + modules/setting/cors.go | 2 ++ routers/api/v1/api.go | 2 +- routers/web/web.go | 1 + 5 files changed, 8 insertions(+), 1 deletion(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 9f41fdb080f..8e85394d348 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -1138,6 +1138,9 @@ ROUTER = console ;; allow request with credentials ;ALLOW_CREDENTIALS = false ;; +;; headers to permit +;HEADERS = Content-Type,User-Agent +;; ;; set X-FRAME-OPTIONS header ;X_FRAME_OPTIONS = SAMEORIGIN diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index b0060e9afa4..aece6afc080 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -200,6 +200,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a - `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request - `MAX_AGE`: **10m**: max time to cache response - `ALLOW_CREDENTIALS`: **false**: allow request with credentials +- `HEADERS`: **Content-Type,User-Agent**: additional headers that are permitted in requests - `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value. ## UI (`ui`) diff --git a/modules/setting/cors.go b/modules/setting/cors.go index a843194ff98..74ec6618a53 100644 --- a/modules/setting/cors.go +++ b/modules/setting/cors.go @@ -19,10 +19,12 @@ var CORSConfig = struct { Methods []string MaxAge time.Duration AllowCredentials bool + Headers []string XFrameOptions string }{ Enabled: false, MaxAge: 10 * time.Minute, + Headers: []string{"Content-Type", "User-Agent"}, XFrameOptions: "SAMEORIGIN", } diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 0d11674aa99..4b272708402 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -617,7 +617,7 @@ func Routes(ctx gocontext.Context) *web.Route { // setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option AllowedMethods: setting.CORSConfig.Methods, AllowCredentials: setting.CORSConfig.AllowCredentials, - AllowedHeaders: []string{"Authorization", "X-Gitea-OTP"}, + AllowedHeaders: append([]string{"Authorization", "X-Gitea-OTP"}, setting.CORSConfig.Headers...), MaxAge: int(setting.CORSConfig.MaxAge.Seconds()), })) } diff --git a/routers/web/web.go b/routers/web/web.go index 48b33813c9a..d0ee9c5eac0 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -67,6 +67,7 @@ func CorsHandler() func(next http.Handler) http.Handler { // setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option AllowedMethods: setting.CORSConfig.Methods, AllowCredentials: setting.CORSConfig.AllowCredentials, + AllowedHeaders: setting.CORSConfig.Headers, MaxAge: int(setting.CORSConfig.MaxAge.Seconds()), }) }