From ed82247c9ab7990ad76ec2bf1498c2b2830b6f1a Mon Sep 17 00:00:00 2001
From: Marcos Lilljedahl <marcosnils@gmail.com>
Date: Thu, 2 Mar 2023 01:49:38 -0300
Subject: [PATCH] fix CORS origins to avoid domain hijacking

Signed-off-by: Marcos Lilljedahl <marcosnils@gmail.com>
---
 handlers/bootstrap.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/handlers/bootstrap.go b/handlers/bootstrap.go
index bfd676c..e898fde 100644
--- a/handlers/bootstrap.go
+++ b/handlers/bootstrap.go
@@ -70,10 +70,10 @@ func Register(extend HandlerExtender) {
 
 	corsHandler := gh.CORS(gh.AllowCredentials(), gh.AllowedHeaders([]string{"x-requested-with", "content-type"}), gh.AllowedMethods([]string{"GET", "POST", "HEAD", "DELETE"}), gh.AllowedOriginValidator(func(origin string) bool {
 		if strings.Contains(origin, "localhost") ||
-			strings.HasSuffix(origin, "play-with-docker.com") ||
-			strings.HasSuffix(origin, "play-with-kubernetes.com") ||
-			strings.HasSuffix(origin, "docker.com") ||
-			strings.HasSuffix(origin, "play-with-go.dev") {
+			strings.HasSuffix(origin, ".play-with-docker.com") ||
+			strings.HasSuffix(origin, ".play-with-kubernetes.com") ||
+			strings.HasSuffix(origin, ".docker.com") ||
+			strings.HasSuffix(origin, ".play-with-go.dev") {
 			return true
 		}
 		return false