router: support the Access-Control-Request-Private-Network
header (#117)
This commit is contained in:
parent
649dc9663e
commit
bb7ee24087
|
@ -286,6 +286,12 @@ type Configuration struct {
|
||||||
// The Panel URL is automatically allowed, this is only needed for adding
|
// The Panel URL is automatically allowed, this is only needed for adding
|
||||||
// additional origins.
|
// additional origins.
|
||||||
AllowedOrigins []string `json:"allowed_origins" yaml:"allowed_origins"`
|
AllowedOrigins []string `json:"allowed_origins" yaml:"allowed_origins"`
|
||||||
|
|
||||||
|
// AllowCORSPrivateNetwork sets the `Access-Control-Request-Private-Network` header which
|
||||||
|
// allows client browsers to make requests to internal IP addresses over HTTP. This setting
|
||||||
|
// is only required by users running Wings without SSL certificates and using internal IP
|
||||||
|
// addresses in order to connect. Most users should NOT enable this setting.
|
||||||
|
AllowCORSPrivateNetwork bool `json:"allow_cors_private_network" yaml:"allow_cors_private_network"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewAtPath creates a new struct and set the path where it should be stored.
|
// NewAtPath creates a new struct and set the path where it should be stored.
|
||||||
|
|
|
@ -218,19 +218,29 @@ func CaptureErrors() gin.HandlerFunc {
|
||||||
// SetAccessControlHeaders sets the access request control headers on all of
|
// SetAccessControlHeaders sets the access request control headers on all of
|
||||||
// the requests.
|
// the requests.
|
||||||
func SetAccessControlHeaders() gin.HandlerFunc {
|
func SetAccessControlHeaders() gin.HandlerFunc {
|
||||||
origins := config.Get().AllowedOrigins
|
cfg := config.Get()
|
||||||
location := config.Get().PanelLocation
|
origins := cfg.AllowedOrigins
|
||||||
|
location := cfg.PanelLocation
|
||||||
|
allowPrivateNetwork := cfg.AllowCORSPrivateNetwork
|
||||||
|
|
||||||
return func(c *gin.Context) {
|
return func(c *gin.Context) {
|
||||||
|
c.Header("Access-Control-Allow-Origin", location)
|
||||||
c.Header("Access-Control-Allow-Credentials", "true")
|
c.Header("Access-Control-Allow-Credentials", "true")
|
||||||
c.Header("Access-Control-Allow-Methods", "GET, POST, PATCH, PUT, DELETE, OPTIONS")
|
c.Header("Access-Control-Allow-Methods", "GET, POST, PATCH, PUT, DELETE, OPTIONS")
|
||||||
|
c.Header("Access-Control-Allow-Headers", "Accept, Accept-Encoding, Authorization, Cache-Control, Content-Type, Content-Length, Origin, X-Real-IP, X-CSRF-Token")
|
||||||
|
|
||||||
|
// CORS for Private Networks (RFC1918)
|
||||||
|
// @see https://developer.chrome.com/blog/private-network-access-update/?utm_source=devtools
|
||||||
|
if allowPrivateNetwork {
|
||||||
|
c.Header("Access-Control-Request-Private-Network", "true")
|
||||||
|
}
|
||||||
|
|
||||||
// Maximum age allowable under Chromium v76 is 2 hours, so just use that since
|
// Maximum age allowable under Chromium v76 is 2 hours, so just use that since
|
||||||
// anything higher will be ignored (even if other browsers do allow higher values).
|
// anything higher will be ignored (even if other browsers do allow higher values).
|
||||||
//
|
//
|
||||||
// @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age#Directives
|
// @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age#Directives
|
||||||
c.Header("Access-Control-Max-Age", "7200")
|
c.Header("Access-Control-Max-Age", "7200")
|
||||||
c.Header("Access-Control-Allow-Origin", location)
|
|
||||||
c.Header("Access-Control-Allow-Headers", "Accept, Accept-Encoding, Authorization, Cache-Control, Content-Type, Content-Length, Origin, X-Real-IP, X-CSRF-Token")
|
|
||||||
// Validate that the request origin is coming from an allowed origin. Because you
|
// Validate that the request origin is coming from an allowed origin. Because you
|
||||||
// cannot set multiple values here we need to see if the origin is one of the ones
|
// cannot set multiple values here we need to see if the origin is one of the ones
|
||||||
// that we allow, and if so return it explicitly. Otherwise, just return the default
|
// that we allow, and if so return it explicitly. Otherwise, just return the default
|
||||||
|
|
Loading…
Reference in New Issue
Block a user