fix: cors handling after gorilla mux update (#9980)

fixes #9979
2025-11-21 02:09:08 -05:00 · 2020-07-06 20:55:19 -07:00
parent c2f7cd1104
commit 93e7e4a0e5
3 changed files with 53 additions and 51 deletions
--- a/cmd/api-router.go
+++ b/cmd/api-router.go
@@ -21,6 +21,8 @@ import (

 	"github.com/gorilla/mux"
 	xhttp "github.com/minio/minio/cmd/http"
+	"github.com/minio/minio/pkg/wildcard"
+	"github.com/rs/cors"
 )

 func newHTTPServerFn() *xhttp.Server {
@@ -290,8 +292,58 @@ func registerAPIRouter(router *mux.Router, encryptionEnabled, allowSSEKMS bool)
 	apiRouter.Methods(http.MethodGet).Path(SlashSeparator + SlashSeparator).HandlerFunc(
 		maxClients(collectAPIStats("listbuckets", httpTraceAll(api.ListBucketsHandler))))

+	// Supports cors only for S3 handlers
+	apiRouter.Methods(http.MethodOptions).Path(SlashSeparator).HandlerFunc(
+		maxClients(collectAPIStats("cors", httpTraceAll(corsHandlerFunc()))))
+
+	apiRouter.Methods(http.MethodOptions).Path(SlashSeparator + SlashSeparator).HandlerFunc(
+		maxClients(collectAPIStats("cors", httpTraceAll(corsHandlerFunc()))))
+
 	// If none of the routes match add default error handler routes
 	apiRouter.NotFoundHandler = http.HandlerFunc(collectAPIStats("notfound", httpTraceAll(errorResponseHandler)))
 	apiRouter.MethodNotAllowedHandler = http.HandlerFunc(collectAPIStats("methodnotallowed", httpTraceAll(errorResponseHandler)))

 }
+
+// setCorsHandler handler for CORS (Cross Origin Resource Sharing)
+func corsHandlerFunc() http.HandlerFunc {
+	commonS3Headers := []string{
+		xhttp.Date,
+		xhttp.ETag,
+		xhttp.ServerInfo,
+		xhttp.Connection,
+		xhttp.AcceptRanges,
+		xhttp.ContentRange,
+		xhttp.ContentEncoding,
+		xhttp.ContentLength,
+		xhttp.ContentType,
+		"X-Amz*",
+		"x-amz*",
+		"*",
+	}
+
+	c := cors.New(cors.Options{
+		AllowOriginFunc: func(origin string) bool {
+			for _, allowedOrigin := range globalAPIConfig.getCorsAllowOrigins() {
+				if wildcard.MatchSimple(allowedOrigin, origin) {
+					return true
+				}
+			}
+			return false
+		},
+		AllowedMethods: []string{
+			http.MethodGet,
+			http.MethodPut,
+			http.MethodHead,
+			http.MethodPost,
+			http.MethodDelete,
+			http.MethodOptions,
+			http.MethodPatch,
+		},
+		AllowedHeaders:   commonS3Headers,
+		ExposedHeaders:   commonS3Headers,
+		AllowCredentials: true,
+	})
+
+	return c.HandlerFunc
+}