diff --git a/changelog.md b/changelog.md
index 38623cd..05113f1 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,3 +1,6 @@
+## Version 0.9.20
+ - Add option to disable CORS hardening (with empty value)
+
## Version 0.9.19
- Add country whitelist option to geoblocker
- No countries blocked by default anymore
diff --git a/package.json b/package.json
index cbbbf62..79c2e6b 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "cosmos-server",
- "version": "0.9.19",
+ "version": "0.9.20",
"description": "",
"main": "test-server.js",
"bugs": {
diff --git a/readme.md b/readme.md
index 8a7c52d..eb3ce03 100644
--- a/readme.md
+++ b/readme.md
@@ -4,11 +4,9 @@
Thanks to the sponsors:
-
-
+
-
diff --git a/src/proxy/routeTo.go b/src/proxy/routeTo.go
index 3ec4c19..4be4ecc 100644
--- a/src/proxy/routeTo.go
+++ b/src/proxy/routeTo.go
@@ -46,7 +46,7 @@ func joinURLPath(a, b *url.URL) (path, rawpath string) {
// NewProxy takes target host and creates a reverse proxy
-func NewProxy(targetHost string, AcceptInsecureHTTPSTarget bool, VerboseForwardHeader bool, DisableHeaderHardening bool) (*httputil.ReverseProxy, error) {
+func NewProxy(targetHost string, AcceptInsecureHTTPSTarget bool, VerboseForwardHeader bool, DisableHeaderHardening bool, CORSOrigin string) (*httputil.ReverseProxy, error) {
url, err := url.Parse(targetHost)
if err != nil {
return nil, err
@@ -76,8 +76,11 @@ func NewProxy(targetHost string, AcceptInsecureHTTPSTarget bool, VerboseForwardH
req.Header.Set("X-Forwarded-Ssl", "on")
}
- if VerboseForwardHeader {
+ if CORSOrigin != "" {
req.Header.Set("X-Forwarded-Host", url.Host)
+ }
+
+ if VerboseForwardHeader {
req.Header.Set("X-Origin-Host", url.Host)
req.Header.Set("Host", url.Host)
req.Header.Set("X-Forwarded-For", utils.GetClientIP(req))
@@ -120,7 +123,7 @@ func RouteTo(route utils.ProxyRouteConfig) http.Handler {
routeType := route.Mode
if(routeType == "SERVAPP" || routeType == "PROXY") {
- proxy, err := NewProxy(destination, route.AcceptInsecureHTTPSTarget, route.VerboseForwardHeader, route.DisableHeaderHardening)
+ proxy, err := NewProxy(destination, route.AcceptInsecureHTTPSTarget, route.VerboseForwardHeader, route.DisableHeaderHardening, route.CORSOrigin)
if err != nil {
utils.Error("Create Route", err)
}
diff --git a/src/utils/middleware.go b/src/utils/middleware.go
index cd67cec..406174c 100644
--- a/src/utils/middleware.go
+++ b/src/utils/middleware.go
@@ -80,10 +80,12 @@ func CORSHeader(origin string) func(next http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- w.Header().Set("Access-Control-Allow-Origin", origin)
- w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
- w.Header().Set("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization")
- w.Header().Set("Access-Control-Allow-Credentials", "true")
+ if origin != "" {
+ w.Header().Set("Access-Control-Allow-Origin", origin)
+ w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
+ w.Header().Set("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization")
+ w.Header().Set("Access-Control-Allow-Credentials", "true")
+ }
next.ServeHTTP(w, r)
})