Skip to content

Commit 50e7e56

Browse files
danielbpricealdas
danielbprice
authored and
aldas
committed
Improve CORS documentation
* Provide links to further reading * Provide security warnings * Document undocumented wildcard feature * Update to go-1.19 style links
1 parent 16d3b65 commit 50e7e56

File tree

1 file changed

+68
-20
lines changed

1 file changed

+68
-20
lines changed

middleware/cors.go

Lines changed: 68 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -15,46 +15,85 @@ type (
1515
// Skipper defines a function to skip middleware.
1616
Skipper Skipper
1717

18-
// AllowOrigin defines a list of origins that may access the resource.
18+
// AllowOrigins determines the value of the Access-Control-Allow-Origin
19+
// response header. This header defines a list of origins that may access the
20+
// resource. The wildcard characters '*' and '?' are supported and are
21+
// converted to regex fragments '.*' and '.' accordingly.
22+
//
23+
// Security: use extreme caution when handling the origin, and carefully
24+
// validate any logic. Remember that attackers may register hostile domain names.
25+
// See https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
26+
//
1927
// Optional. Default value []string{"*"}.
28+
//
29+
// See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
2030
AllowOrigins []string `yaml:"allow_origins"`
2131

2232
// AllowOriginFunc is a custom function to validate the origin. It takes the
2333
// origin as an argument and returns true if allowed or false otherwise. If
2434
// an error is returned, it is returned by the handler. If this option is
2535
// set, AllowOrigins is ignored.
36+
//
37+
// Security: use extreme caution when handling the origin, and carefully
38+
// validate any logic. Remember that attackers may register hostile domain names.
39+
// See https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
40+
//
2641
// Optional.
2742
AllowOriginFunc func(origin string) (bool, error) `yaml:"allow_origin_func"`
2843

29-
// AllowMethods defines a list methods allowed when accessing the resource.
30-
// This is used in response to a preflight request.
44+
// AllowMethods determines the value of the Access-Control-Allow-Methods
45+
// response header. This header specified the list of methods allowed when
46+
// accessing the resource. This is used in response to a preflight request.
47+
//
3148
// Optional. Default value DefaultCORSConfig.AllowMethods.
32-
// If `allowMethods` is left empty will fill for preflight request `Access-Control-Allow-Methods` header value
49+
// If `allowMethods` is left empty, this middleware will fill for preflight
50+
// request `Access-Control-Allow-Methods` header value
3351
// from `Allow` header that echo.Router set into context.
52+
//
53+
// See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
3454
AllowMethods []string `yaml:"allow_methods"`
3555

36-
// AllowHeaders defines a list of request headers that can be used when
37-
// making the actual request. This is in response to a preflight request.
56+
// AllowHeaders determines the value of the Access-Control-Allow-Headers
57+
// response header. This header is used in response to a preflight request to
58+
// indicate which HTTP headers can be used when making the actual request.
59+
//
3860
// Optional. Default value []string{}.
61+
//
62+
// See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
3963
AllowHeaders []string `yaml:"allow_headers"`
4064

41-
// AllowCredentials indicates whether or not the response to the request
42-
// can be exposed when the credentials flag is true. When used as part of
43-
// a response to a preflight request, this indicates whether or not the
44-
// actual request can be made using credentials.
45-
// Optional. Default value false.
65+
// AllowCredentials determines the value of the
66+
// Access-Control-Allow-Credentials response header. This header indicates
67+
// whether or not the response to the request can be exposed when the
68+
// credentials mode (Request.credentials) is true. When used as part of a
69+
// response to a preflight request, this indicates whether or not the actual
70+
// request can be made using credentials. See also
71+
// [MDN: Access-Control-Allow-Credentials].
72+
//
73+
// Optional. Default value false, in which case the header is not set.
74+
//
4675
// Security: avoid using `AllowCredentials = true` with `AllowOrigins = *`.
47-
// See http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
76+
// See "Exploiting CORS misconfigurations for Bitcoins and bounties",
77+
// https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
78+
//
79+
// See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
4880
AllowCredentials bool `yaml:"allow_credentials"`
4981

50-
// ExposeHeaders defines a whitelist headers that clients are allowed to
51-
// access.
52-
// Optional. Default value []string{}.
82+
// ExposeHeaders determines the value of Access-Control-Expose-Headers, which
83+
// defines a list of headers that clients are allowed to access.
84+
//
85+
// Optional. Default value []string{}, in which case the header is not set.
86+
//
87+
// See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Header
5388
ExposeHeaders []string `yaml:"expose_headers"`
5489

55-
// MaxAge indicates how long (in seconds) the results of a preflight request
56-
// can be cached.
57-
// Optional. Default value 0.
90+
// MaxAge determines the value of the Access-Control-Max-Age response header.
91+
// This header indicates how long (in seconds) the results of a preflight
92+
// request can be cached.
93+
//
94+
// Optional. Default value 0. The header is set only if MaxAge > 0.
95+
//
96+
// See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
5897
MaxAge int `yaml:"max_age"`
5998
}
6099
)
@@ -69,13 +108,22 @@ var (
69108
)
70109

71110
// CORS returns a Cross-Origin Resource Sharing (CORS) middleware.
72-
// See: https://developer.mozilla.org/en/docs/Web/HTTP/Access_control_CORS
111+
// See also [MDN: Cross-Origin Resource Sharing (CORS)].
112+
//
113+
// Security: Poorly configured CORS can compromise security because it allows
114+
// relaxation of the browser's Same-Origin policy. See [Exploiting CORS
115+
// misconfigurations for Bitcoins and bounties] and [Portswigger: Cross-origin
116+
// resource sharing (CORS)] for more details.
117+
//
118+
// [MDN: Cross-Origin Resource Sharing (CORS)]: https://developer.mozilla.org/en/docs/Web/HTTP/Access_control_CORS
119+
// [Exploiting CORS misconfigurations for Bitcoins and bounties]: https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
120+
// [Portswigger: Cross-origin resource sharing (CORS)]: https://portswigger.net/web-security/cors
73121
func CORS() echo.MiddlewareFunc {
74122
return CORSWithConfig(DefaultCORSConfig)
75123
}
76124

77125
// CORSWithConfig returns a CORS middleware with config.
78-
// See: `CORS()`.
126+
// See: [CORS].
79127
func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
80128
// Defaults
81129
if config.Skipper == nil {

0 commit comments

Comments
 (0)