originMatchesHost checks that the origin header matches the host header returns an error if the origin header is not present or is invalid returns nil if the origin header is valid
(c fiber.Ctx, trustedOrigins []string, trustedSubOrigins []subdomain)
| 359 | // returns an error if the origin header is not present or is invalid |
| 360 | // returns nil if the origin header is valid |
| 361 | func originMatchesHost(c fiber.Ctx, trustedOrigins []string, trustedSubOrigins []subdomain) error { |
| 362 | origin := utilsstrings.ToLower(c.Get(fiber.HeaderOrigin)) |
| 363 | if origin == "" || origin == "null" { // "null" is set by some browsers when the origin is a secure context https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin#description |
| 364 | return errOriginNotFound |
| 365 | } |
| 366 | |
| 367 | originURL, err := url.Parse(origin) |
| 368 | if err != nil { |
| 369 | return ErrOriginInvalid |
| 370 | } |
| 371 | |
| 372 | if schemehost.Match(originURL.Scheme, originURL.Host, c.Scheme(), c.Host()) { |
| 373 | return nil |
| 374 | } |
| 375 | |
| 376 | if slices.Contains(trustedOrigins, origin) { |
| 377 | return nil |
| 378 | } |
| 379 | |
| 380 | for _, trustedSubOrigin := range trustedSubOrigins { |
| 381 | if trustedSubOrigin.match(origin) { |
| 382 | return nil |
| 383 | } |
| 384 | } |
| 385 | |
| 386 | return ErrOriginNoMatch |
| 387 | } |
| 388 | |
| 389 | // refererMatchesHost checks that the referer header matches the host header |
| 390 | // returns an error if the referer header is not present or is invalid |