checkOrigin ensures that the Origin header, if set, matches the intended target; prevents arbitrary sites from issuing requests to our listener. It returns the origin that was obtained from r.
(r *http.Request)
| 940 | // sites from issuing requests to our listener. It |
| 941 | // returns the origin that was obtained from r. |
| 942 | func (h adminHandler) checkOrigin(r *http.Request) (string, error) { |
| 943 | originStr, origin := h.getOrigin(r) |
| 944 | if origin == nil { |
| 945 | return "", APIError{ |
| 946 | HTTPStatus: http.StatusForbidden, |
| 947 | Err: fmt.Errorf("required Origin header is missing or invalid"), |
| 948 | } |
| 949 | } |
| 950 | if !h.originAllowed(origin) { |
| 951 | return "", APIError{ |
| 952 | HTTPStatus: http.StatusForbidden, |
| 953 | Err: fmt.Errorf("client is not allowed to access from origin '%s'", originStr), |
| 954 | } |
| 955 | } |
| 956 | return origin.String(), nil |
| 957 | } |
| 958 | |
| 959 | func (h adminHandler) getOrigin(r *http.Request) (string, *url.URL) { |
| 960 | origin := r.Header.Get("Origin") |
no test coverage detected