epic/play-with-docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix CORS origins to avoid domain hijacking

Browse Source 
Signed-off-by: Marcos Lilljedahl <marcosnils@gmail.com>
This commit is contained in:
Marcos Lilljedahl
2023-03-02 01:49:38 -03:00
parent 2b95e66079
commit ed82247c9a
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
handlers/bootstrap.go
View File

@@ -70,10 +70,10 @@ func Register(extend HandlerExtender) {
corsHandler := gh.CORS(gh.AllowCredentials(), gh.AllowedHeaders([]string{"x-requested-with", "content-type"}), gh.AllowedMethods([]string{"GET", "POST", "HEAD", "DELETE"}), gh.AllowedOriginValidator(func(origin string) bool {
if strings.Contains(origin, "localhost") ||
strings.HasSuffix(origin, "play-with-docker.com") ||
strings.HasSuffix(origin, "play-with-kubernetes.com") ||
strings.HasSuffix(origin, "docker.com") ||
strings.HasSuffix(origin, "play-with-go.dev") {
strings.HasSuffix(origin, ".play-with-docker.com") ||
strings.HasSuffix(origin, ".play-with-kubernetes.com") ||
strings.HasSuffix(origin, ".docker.com") ||
strings.HasSuffix(origin, ".play-with-go.dev") {
return true
}
return false