From 16ee985c22c2fcfa2e108dcc7d3e8ce184fd95ed Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Mon, 23 Dec 2019 12:46:01 -0700 Subject: [PATCH] admin: Only write most CORS headers in OPTIONS requests --- admin.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/admin.go b/admin.go index 89c007d5..bf119859 100644 --- a/admin.go +++ b/admin.go @@ -50,7 +50,7 @@ type AdminConfig struct { // The address to which the admin endpoint's listener should // bind itself. Can be any single network address that can be - // parsed by Caddy. + // parsed by Caddy. Default: localhost:2019 Listen string `json:"listen,omitempty"` // If true, CORS headers will be emitted, and requests to the @@ -282,10 +282,12 @@ func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) { return } + if r.Method == http.MethodOptions { + w.Header().Set("Access-Control-Allow-Methods", "OPTIONS, GET, POST, PUT, PATCH, DELETE") + w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Cache-Control") + w.Header().Set("Access-Control-Allow-Credentials", "true") + } w.Header().Set("Access-Control-Allow-Origin", origin) - w.Header().Set("Access-Control-Allow-Methods", "OPTIONS, GET, POST, PUT, PATCH, DELETE") - w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Cache-Control") - w.Header().Set("Access-Control-Allow-Credentials", "true") } // TODO: authentication & authorization, if configured