From 851eefabec06b34d6e78b7a98290f2316cca3e3c Mon Sep 17 00:00:00 2001
From: Sumner Evans <sumner.evans@automattic.com>
Date: Fri, 23 Aug 2024 15:43:56 -0600
Subject: [PATCH] exhttp: add CORS helpers

Signed-off-by: Sumner Evans <sumner.evans@automattic.com>
---
 exhttp/cors.go | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 exhttp/cors.go

diff --git a/exhttp/cors.go b/exhttp/cors.go
new file mode 100644
index 0000000..037be8d
--- /dev/null
+++ b/exhttp/cors.go
@@ -0,0 +1,26 @@
+package exhttp
+
+import "net/http"
+
+func AddCORSHeaders(w http.ResponseWriter) {
+	// Recommended CORS headers can be found in https://spec.matrix.org/v1.3/client-server-api/#web-browser-clients
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+	w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
+	w.Header().Set("Access-Control-Allow-Headers", "X-Requested-With, Content-Type, Authorization")
+	w.Header().Set("Content-Security-Policy", "sandbox; default-src 'none'; script-src 'none'; plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self';")
+	// Allow browsers to cache above for 1 day
+	w.Header().Set("Access-Control-Max-Age", "86400")
+}
+
+// CORSMiddleware adds CORS headers to the response and handles OPTIONS
+// requests by returning 200 OK immediately.
+func CORSMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		AddCORSHeaders(w)
+		if r.Method == http.MethodOptions {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}