Skip to content

Commit

Permalink
cors middleware: allow sending Access-Control-Max-Age: 0 value with…
Browse files Browse the repository at this point in the history
… config.MaxAge being negative number. (#2518)
  • Loading branch information
aldas authored Sep 19, 2023
1 parent 3950c44 commit 4bc3e47
Show file tree
Hide file tree
Showing 2 changed files with 61 additions and 3 deletions.
11 changes: 8 additions & 3 deletions middleware/cors.go
Original file line number Diff line number Diff line change
Expand Up @@ -99,8 +99,9 @@ type (
// MaxAge determines the value of the Access-Control-Max-Age response header.
// This header indicates how long (in seconds) the results of a preflight
// request can be cached.
// The header is set only if MaxAge != 0, negative value sends "0" which instructs browsers not to cache that response.
//
// Optional. Default value 0. The header is set only if MaxAge > 0.
// Optional. Default value 0 - meaning header is not sent.
//
// See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
MaxAge int `yaml:"max_age"`
Expand Down Expand Up @@ -159,7 +160,11 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
allowMethods := strings.Join(config.AllowMethods, ",")
allowHeaders := strings.Join(config.AllowHeaders, ",")
exposeHeaders := strings.Join(config.ExposeHeaders, ",")
maxAge := strconv.Itoa(config.MaxAge)

maxAge := "0"
if config.MaxAge > 0 {
maxAge = strconv.Itoa(config.MaxAge)
}

return func(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
Expand Down Expand Up @@ -282,7 +287,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
res.Header().Set(echo.HeaderAccessControlAllowHeaders, h)
}
}
if config.MaxAge > 0 {
if config.MaxAge != 0 {
res.Header().Set(echo.HeaderAccessControlMaxAge, maxAge)
}
return c.NoContent(http.StatusNoContent)
Expand Down
53 changes: 53 additions & 0 deletions middleware/cors_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,59 @@ func TestCORS(t *testing.T) {
echo.HeaderAccessControlMaxAge: "3600",
},
},
{
name: "ok, preflight request when `Access-Control-Max-Age` is set",
givenMW: CORSWithConfig(CORSConfig{
AllowOrigins: []string{"localhost"},
AllowCredentials: true,
MaxAge: 1,
}),
whenMethod: http.MethodOptions,
whenHeaders: map[string]string{
echo.HeaderOrigin: "localhost",
echo.HeaderContentType: echo.MIMEApplicationJSON,
},
expectHeaders: map[string]string{
echo.HeaderAccessControlMaxAge: "1",
},
},
{
name: "ok, preflight request when `Access-Control-Max-Age` is set to 0 - not to cache response",
givenMW: CORSWithConfig(CORSConfig{
AllowOrigins: []string{"localhost"},
AllowCredentials: true,
MaxAge: -1, // forces `Access-Control-Max-Age: 0`
}),
whenMethod: http.MethodOptions,
whenHeaders: map[string]string{
echo.HeaderOrigin: "localhost",
echo.HeaderContentType: echo.MIMEApplicationJSON,
},
expectHeaders: map[string]string{
echo.HeaderAccessControlMaxAge: "0",
},
},
{
name: "ok, CORS check are skipped",
givenMW: CORSWithConfig(CORSConfig{
AllowOrigins: []string{"localhost"},
AllowCredentials: true,
Skipper: func(c echo.Context) bool {
return true
},
}),
whenMethod: http.MethodOptions,
whenHeaders: map[string]string{
echo.HeaderOrigin: "localhost",
echo.HeaderContentType: echo.MIMEApplicationJSON,
},
notExpectHeaders: map[string]string{
echo.HeaderAccessControlAllowOrigin: "localhost",
echo.HeaderAccessControlAllowMethods: "GET,HEAD,PUT,PATCH,POST,DELETE",
echo.HeaderAccessControlAllowCredentials: "true",
echo.HeaderAccessControlMaxAge: "3600",
},
},
{
name: "ok, preflight request with wildcard `AllowOrigins` and `AllowCredentials` true",
givenMW: CORSWithConfig(CORSConfig{
Expand Down

0 comments on commit 4bc3e47

Please sign in to comment.