search

stretchr / goweb

A lightweight RESTful web framework for Go
632 stars 61 forks source link

Question: What is the easiest way to deal with CORS? #56

Open sporto opened 10 years ago

sporto commented 10 years ago

I have a client app in a different domain so the browser is trying to do a preflight request. e.g.

OPTIONS /accounts HTTP/1.1
Host    localhost:5000
Access-Control-Request-Method   GET
Origin  http://localhost:9000
Access-Control-Request-Headers  accept, x-requested-with
Accept  */*
Referer http://localhost:9000/
...

I would like goweb to generate the necessary response for any request coming for a particular url e.g.

Access-Control-Allow-Origin: http://localhost:9000
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: X-Custom-Header
Content-Type: text/html; charset=utf-8

Can you please give me an example on how to deal with this? Thanks

sporto commented 10 years ago

I am doing this manually e.g.

goweb.Map(goweb_http.MethodOptions, "/{*}", func(ctx context.Context) error {
    ctx.HttpResponseWriter().Header().Set("Access-Control-Allow-Origin", "http://localhost:9000")
    ctx.HttpResponseWriter().Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT")
    ctx.HttpResponseWriter().Header().Set("Access-Control-Allow-Headers", "origin, x-requested-with, accept")
    return nil
})

But I wonder if goweb should have some kind of convenience method to do this, if it already have one I haven't found.

matryer commented 10 years ago

Hmm… that's not a bad idea at all. What kind of interface would you expect?

Do you think it should go into a goweb/cores package?

On 10 Oct 2013, at 15:33, Sebastian Porto notifications@github.com wrote:

I am doing this manually e.g.

goweb.Map(goweb_http.MethodOptions, "/{*}", func(ctx context.Context) error { ctx.HttpResponseWriter().Header().Set("Access-Control-Allow-Origin", "http://localhost:9000") ctx.HttpResponseWriter().Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT") ctx.HttpResponseWriter().Header().Set("Access-Control-Allow-Headers", "origin, x-requested-with, accept") return nil }) But I wonder if goweb should have some kind of convenience method to do this, if it already have one I haven't found.

— Reply to this email directly or view it on GitHub.

sporto commented 10 years ago

It would be nice to have a simple catch all method like:

goweb.AllowCORSFor(whitelistedDomains, options)

don't really know what kind of options would you pass, I haven't done too much work with CORS yet.

matryer commented 10 years ago

Would using a MapBefore method work better here?

On 17 Oct 2013, at 04:44, Sebastian Porto notifications@github.com wrote:

It would be nice to have a simple catch all method like:

goweb.AllowCORSFor(whitelistedDomains, options) don't really know what kind of options would you pass, I haven't done too much work with CORS yet.

— Reply to this email directly or view it on GitHub.

sporto commented 10 years ago

Sorry, closed this by mistake, when trying to comment.

Looking at the documentation MapBefore could be more flexible, or it could be some special handler you pass to Map:

goweb.Map(goweb_http.MethodOptions, "/{*}", goweb.CORSHandler(whitelistedDomains))
matryer commented 10 years ago

I quite like that - fancy doing a PR?

matryer commented 10 years ago

see https://github.com/stretchr/goweb/wiki/Development-practices

sporto commented 10 years ago

I would like to, if I can find the spare time to have a go I will do it. Thanks