exhttp: add CORS helpers

Signed-off-by: Sumner Evans <[email protected]>
mautrix · Aug 23, 2024 · 851eefa · 851eefa
1 parent 7ddfdc9
commit 851eefa
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/exhttp/cors.go b/exhttp/cors.go
@@ -0,0 +1,26 @@
+package exhttp
+
+import "net/http"
+
+func AddCORSHeaders(w http.ResponseWriter) {
+	// Recommended CORS headers can be found in https://spec.matrix.org/v1.3/client-server-api/#web-browser-clients
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+	w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
+	w.Header().Set("Access-Control-Allow-Headers", "X-Requested-With, Content-Type, Authorization")
+	w.Header().Set("Content-Security-Policy", "sandbox; default-src 'none'; script-src 'none'; plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self';")
+	// Allow browsers to cache above for 1 day
+	w.Header().Set("Access-Control-Max-Age", "86400")
+}
+
+// CORSMiddleware adds CORS headers to the response and handles OPTIONS
+// requests by returning 200 OK immediately.
+func CORSMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		AddCORSHeaders(w)
+		if r.Method == http.MethodOptions {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}