Refactor CORS handler (#28587)

The CORS code has been unmaintained for long time, and the behavior is not correct. This PR tries to improve it. The key point is written as comment in code. And add more tests. Fix #28515 Fix #27642 Fix #17098
author: wxiaoguang <wxiaoguang@gmail.com> 2023-12-25 20:13:18 +0800
committer: GitHub <noreply@github.com> 2023-12-25 20:13:18 +0800
commit: b41925cee3d67a1fe546c7a219174e4a8b2302b7 (patch)
tree: c5d40048ba59379dc62821a19ecb4257499a6ee6 /routers/api
parent: d0f24ff4cad05c1145afeca791e7d02fe146d46a (diff)
download: gitea-b41925cee3d67a1fe546c7a219174e4a8b2302b7.tar.gz
gitea-b41925cee3d67a1fe546c7a219174e4a8b2302b7.zip
1 files changed, 1 insertions, 3 deletions
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 0e437bb92e..a4c3d6f444 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -822,9 +822,7 @@ func Routes() *web.Route {
 	m.Use(securityHeaders())
 	if setting.CORSConfig.Enabled {
 		m.Use(cors.Handler(cors.Options{
-			// Scheme:           setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option
-			AllowedOrigins: setting.CORSConfig.AllowDomain,
-			// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
+			AllowedOrigins:   setting.CORSConfig.AllowDomain,
 			AllowedMethods:   setting.CORSConfig.Methods,
 			AllowCredentials: setting.CORSConfig.AllowCredentials,
 			AllowedHeaders:   append([]string{"Authorization", "X-Gitea-OTP"}, setting.CORSConfig.Headers...),
author	wxiaoguang <wxiaoguang@gmail.com>	2023-12-25 20:13:18 +0800
committer	GitHub <noreply@github.com>	2023-12-25 20:13:18 +0800
commit	b41925cee3d67a1fe546c7a219174e4a8b2302b7 (patch)
tree	c5d40048ba59379dc62821a19ecb4257499a6ee6 /routers/api
parent	d0f24ff4cad05c1145afeca791e7d02fe146d46a (diff)
download	gitea-b41925cee3d67a1fe546c7a219174e4a8b2302b7.tar.gz gitea-b41925cee3d67a1fe546c7a219174e4a8b2302b7.zip