mirror of
https://github.com/prometheus/prometheus.git
synced 2025-08-06 22:27:17 +02:00
Merge pull request #16008 from jub0bs/cors
util/httputil: Always add Vary header in SetCORS (fixes #15406)
This commit is contained in:
commit
dd9e18c831
@ -23,11 +23,11 @@ var corsHeaders = map[string]string{
|
||||
"Access-Control-Allow-Headers": "Accept, Authorization, Content-Type, Origin",
|
||||
"Access-Control-Allow-Methods": "GET, POST, OPTIONS",
|
||||
"Access-Control-Expose-Headers": "Date",
|
||||
"Vary": "Origin",
|
||||
}
|
||||
|
||||
// SetCORS enables cross-site script calls.
|
||||
// SetCORS enables cross-origin script calls.
|
||||
func SetCORS(w http.ResponseWriter, o *regexp.Regexp, r *http.Request) {
|
||||
w.Header().Add("Vary", "Origin")
|
||||
origin := r.Header.Get("Origin")
|
||||
if origin == "" {
|
||||
return
|
||||
|
@ -48,8 +48,10 @@ func TestCORSHandler(t *testing.T) {
|
||||
resp, err := client.Do(req)
|
||||
require.NoError(t, err, "client get failed with unexpected error")
|
||||
|
||||
AccessControlAllowOrigin := resp.Header.Get("Access-Control-Allow-Origin")
|
||||
Vary := resp.Header.Get("Vary")
|
||||
require.Equal(t, "Origin", Vary)
|
||||
|
||||
AccessControlAllowOrigin := resp.Header.Get("Access-Control-Allow-Origin")
|
||||
require.Equal(t, dummyOrigin, AccessControlAllowOrigin, "expected Access-Control-Allow-Origin header")
|
||||
|
||||
// OPTIONS with bad origin
|
||||
@ -62,4 +64,20 @@ func TestCORSHandler(t *testing.T) {
|
||||
|
||||
AccessControlAllowOrigin = resp.Header.Get("Access-Control-Allow-Origin")
|
||||
require.Empty(t, AccessControlAllowOrigin, "Access-Control-Allow-Origin header should not exist but it was set")
|
||||
|
||||
Vary = resp.Header.Get("Vary")
|
||||
require.Equal(t, "Origin", Vary)
|
||||
|
||||
// OPTIONS with no origin
|
||||
req, err = http.NewRequest(http.MethodOptions, server.URL+"/any_path", nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
resp, err = client.Do(req)
|
||||
require.NoError(t, err)
|
||||
|
||||
Vary = resp.Header.Get("Vary")
|
||||
require.Equal(t, "Origin", Vary)
|
||||
|
||||
AccessControlAllowOrigin = resp.Header.Get("Access-Control-Allow-Origin")
|
||||
require.Empty(t, AccessControlAllowOrigin)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user