http: CORS should not be send if not set (#6433)

2024-11-07 09:04:52 +01:00 · 2023-07-29 02:58:37 +00:00 · 2023-07-29 02:58:37 +00:00 · f4449440f8
commit f4449440f8
parent e66675d346
3 changed files with 51 additions and 18 deletions
--- a/fs/rc/rcserver/rcserver.go
+++ b/fs/rc/rcserver/rcserver.go
@ -212,11 +212,6 @@ func writeError(path string, in rc.Params, w http.ResponseWriter, err error, sta
 func (s *Server) handler(w http.ResponseWriter, r *http.Request) {
 	path := strings.TrimLeft(r.URL.Path, "/")

-	// echo back access control headers client needs
-	//reqAccessHeaders := r.Header.Get("Access-Control-Request-Headers")
-	w.Header().Add("Access-Control-Request-Method", "POST, OPTIONS, GET, HEAD")
-	w.Header().Add("Access-Control-Allow-Headers", "authorization, Content-Type")
-
 	switch r.Method {
 	case "POST":
 		s.handlePost(w, r, path)
--- a/lib/http/middleware.go
+++ b/lib/http/middleware.go
@ -173,14 +173,10 @@ func MiddlewareCORS(allowOrigin string) Middleware {

 			if allowOrigin != "" {
 				w.Header().Add("Access-Control-Allow-Origin", allowOrigin)
-			} else {
-				w.Header().Add("Access-Control-Allow-Origin", PublicURL(r))
+				w.Header().Add("Access-Control-Request-Method", "POST, OPTIONS, GET, HEAD")
+				w.Header().Add("Access-Control-Allow-Headers", "authorization, Content-Type")
 			}

-			// echo back access control headers client needs
-			w.Header().Add("Access-Control-Request-Method", "POST, OPTIONS, GET, HEAD")
-			w.Header().Add("Access-Control-Allow-Headers", "authorization, Content-Type")
-
 			if r.Method == "OPTIONS" {
 				w.WriteHeader(http.StatusOK)
 				return
--- a/lib/http/middleware_test.go
+++ b/lib/http/middleware_test.go
@ -332,13 +332,6 @@ func TestMiddlewareCORS(t *testing.T) {
 		name string
 		http Config
 	}{
-		{
-			name: "EmptyOrigin",
-			http: Config{
-				ListenAddr:  []string{"127.0.0.1:0"},
-				AllowOrigin: "",
-			},
-		},
 		{
 			name: "CustomOrigin",
 			http: Config{
@ -389,6 +382,55 @@ func TestMiddlewareCORS(t *testing.T) {
 	}
 }

+func TestMiddlewareCORSEmptyOrigin(t *testing.T) {
+	servers := []struct {
+		name string
+		http Config
+	}{
+		{
+			name: "EmptyOrigin",
+			http: Config{
+				ListenAddr:  []string{"127.0.0.1:0"},
+				AllowOrigin: "",
+			},
+		},
+	}
+
+	for _, ss := range servers {
+		t.Run(ss.name, func(t *testing.T) {
+			s, err := NewServer(context.Background(), WithConfig(ss.http))
+			require.NoError(t, err)
+			defer func() {
+				require.NoError(t, s.Shutdown())
+			}()
+
+			expected := []byte("data")
+			s.Router().Mount("/", testEchoHandler(expected))
+			s.Serve()
+
+			url := testGetServerURL(t, s)
+
+			client := &http.Client{}
+			req, err := http.NewRequest("GET", url, nil)
+			require.NoError(t, err)
+
+			resp, err := client.Do(req)
+			require.NoError(t, err)
+			defer func() {
+				_ = resp.Body.Close()
+			}()
+
+			require.Equal(t, http.StatusOK, resp.StatusCode, "should return ok")
+
+			testExpectRespBody(t, resp, expected)
+
+			for _, key := range _testCORSHeaderKeys {
+				require.NotContains(t, resp.Header, key, "CORS headers should not be sent")
+			}
+		})
+	}
+}
+
 func TestMiddlewareCORSWithAuth(t *testing.T) {
 	authServers := []struct {
 		name string