MCPcopy Index your code
hub / github.com/rs/cors

github.com/rs/cors @v1.11.1 sqlite

repository ↗ · DeepWiki ↗ · release v1.11.1 ↗
92 symbols 368 edges 21 files 32 documented · 35% 34 cross-repo links
README

Go CORS handler godoc license Go Coverage

CORS is a net/http handler implementing Cross Origin Resource Sharing W3 specification in Golang.

Getting Started

After installing Go and setting up your GOPATH, create your first .go file. We'll call it server.go.

package main

import (
    "net/http"

    "github.com/rs/cors"
)

func main() {
    mux := http.NewServeMux()
    mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("Content-Type", "application/json")
        w.Write([]byte("{\"hello\": \"world\"}"))
    })

    // cors.Default() setup the middleware with default options being
    // all origins accepted with simple methods (GET, POST). See
    // documentation below for more options.
    handler := cors.Default().Handler(mux)
    http.ListenAndServe(":8080", handler)
}

Install cors:

go get github.com/rs/cors

Then run your server:

go run server.go

The server now runs on localhost:8080:

$ curl -D - -H 'Origin: http://foo.com' http://localhost:8080/
HTTP/1.1 200 OK
Access-Control-Allow-Origin: foo.com
Content-Type: application/json
Date: Sat, 25 Oct 2014 03:43:57 GMT
Content-Length: 18

{"hello": "world"}

Allow * With Credentials Security Protection

This library has been modified to avoid a well known security issue when configured with AllowedOrigins to * and AllowCredentials to true. Such setup used to make the library reflects the request Origin header value, working around a security protection embedded into the standard that makes clients to refuse such configuration. This behavior has been removed with #55 and #57.

If you depend on this behavior and understand the implications, you can restore it using the AllowOriginFunc with func(origin string) {return true}.

Please refer to #55 for more information about the security implications.

More Examples

Parameters

Parameters are passed to the middleware thru the cors.New method as follow:

c := cors.New(cors.Options{
    AllowedOrigins: []string{"http://foo.com", "http://foo.com:8080"},
    AllowCredentials: true,
    // Enable Debugging for testing, consider disabling in production
    Debug: true,
})

// Insert the middleware
handler = c.Handler(handler)
  • AllowedOrigins []string: A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin. The default value is *.
  • AllowOriginFunc func (origin string) bool: A custom function to validate the origin. It takes the origin as an argument and returns true if allowed, or false otherwise. If this option is set, the content of AllowedOrigins is ignored.
  • AllowOriginRequestFunc func (r *http.Request, origin string) bool: A custom function to validate the origin. It takes the HTTP Request object and the origin as argument and returns true if allowed or false otherwise. If this option is set, the contents of AllowedOrigins and AllowOriginFunc are ignored. Deprecated: use AllowOriginVaryRequestFunc instead.
  • AllowOriginVaryRequestFunc func(r *http.Request, origin string) (bool, []string): A custom function to validate the origin. It takes the HTTP Request object and the origin as argument and returns true if allowed or false otherwise with a list of headers used to take that decision if any so they can be added to the Vary header. If this option is set, the contents of AllowedOrigins, AllowOriginFunc and AllowOriginRequestFunc are ignored.
  • AllowedMethods []string: A list of methods the client is allowed to use with cross-domain requests. Default value is simple methods (GET and POST).
  • AllowedHeaders []string: A list of non simple headers the client is allowed to use with cross-domain requests.
  • ExposedHeaders []string: Indicates which headers are safe to expose to the API of a CORS API specification.
  • AllowCredentials bool: Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates. The default is false.
  • AllowPrivateNetwork bool: Indicates whether to accept cross-origin requests over a private network.
  • MaxAge int: Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.
  • OptionsPassthrough bool: Instructs preflight to let other potential next handlers to process the OPTIONS method. Turn this on if your application handles OPTIONS.
  • OptionsSuccessStatus int: Provides a status code to use for successful OPTIONS requests. Default value is http.StatusNoContent (204).
  • Debug bool: Debugging flag adds additional output to debug server side CORS issues.

See API documentation for more info.

Benchmarks

goos: darwin
goarch: arm64
pkg: github.com/rs/cors
BenchmarkWithout-10             135325480            8.124 ns/op           0 B/op          0 allocs/op
BenchmarkDefault-10             24082140            51.40 ns/op        0 B/op          0 allocs/op
BenchmarkAllowedOrigin-10       16424518            88.25 ns/op        0 B/op          0 allocs/op
BenchmarkPreflight-10            8010259           147.3 ns/op         0 B/op          0 allocs/op
BenchmarkPreflightHeader-10      6850962           175.0 ns/op         0 B/op          0 allocs/op
BenchmarkWildcard/match-10      253275342            4.714 ns/op           0 B/op          0 allocs/op
BenchmarkWildcard/too_short-10  1000000000           0.6235 ns/op          0 B/op          0 allocs/op
PASS
ok      github.com/rs/cors  99.131s

Licenses

All source code is licensed under the MIT License.

Extension points exported contracts — how you extend this code

Logger (Interface)
Logger generic interface for logger [1 implementers]
cors.go

Core symbols most depended-on inside this repo

New
called by 22
cors.go
logf
called by 17
cors.go
ServeHTTP
called by 16
cors.go
Handler
called by 14
cors.go
Default
called by 11
cors.go
HandlerFunc
called by 9
cors.go
match
called by 7
utils.go
convert
called by 5
utils.go

Shape

Function 65
Method 19
Struct 7
Interface 1

Languages

Go100%

Modules by API surface

cors_test.go19 symbols
cors.go16 symbols
internal/sortedset.go11 symbols
bench_test.go11 symbols
wrapper/gin/gin_test.go6 symbols
wrapper/gin/gin.go5 symbols
examples/buffalo/server.go4 symbols
utils_test.go3 symbols
utils.go3 symbols
internal/sortedset_test.go2 symbols
examples/httprouter/server.go2 symbols
examples/openbar/server.go1 symbols

Dependencies from manifests, versioned

github.com/aymerick/douceurv0.2.0 · 1×
github.com/chenzhuoyu/base64xv0.0.0-2022111506244 · 1×
github.com/codegangsta/injectv0.0.0-2015011423560 · 1×
github.com/codegangsta/negroniv1.0.0 · 1×
github.com/fatih/structsv1.1.0 · 1×
github.com/felixge/httpsnoopv1.0.1 · 1×

For agents

$ claude mcp add cors \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact