265cd70bdb
Backport #28587, the only conflict is the test file. The CORS code has been unmaintained for long time, and the behavior is not correct. This PR tries to improve it. The key point is written as comment in code. And add more tests. Fix #28515 Fix #27642 Fix #17098 (cherry picked from commit 7a2786ca6cd84633784a2c9986da65a9c4d79c78)
34 lines
973 B
Go
34 lines
973 B
Go
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package setting
|
|
|
|
import (
|
|
"time"
|
|
|
|
"code.gitea.io/gitea/modules/log"
|
|
)
|
|
|
|
// CORSConfig defines CORS settings
|
|
var CORSConfig = struct {
|
|
Enabled bool
|
|
AllowDomain []string // FIXME: this option is from legacy code, it actually works as "AllowedOrigins". When refactoring in the future, the config option should also be renamed together.
|
|
Methods []string
|
|
MaxAge time.Duration
|
|
AllowCredentials bool
|
|
Headers []string
|
|
XFrameOptions string
|
|
}{
|
|
AllowDomain: []string{"*"},
|
|
Methods: []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
|
|
Headers: []string{"Content-Type", "User-Agent"},
|
|
MaxAge: 10 * time.Minute,
|
|
XFrameOptions: "SAMEORIGIN",
|
|
}
|
|
|
|
func loadCorsFrom(rootCfg ConfigProvider) {
|
|
mustMapSetting(rootCfg, "cors", &CORSConfig)
|
|
if CORSConfig.Enabled {
|
|
log.Info("CORS Service Enabled")
|
|
}
|
|
}
|