CORS Preflight Handler

Overview

Cross-Origin Resource Sharing (CORS) specifies how a browser can access resources hosted at a location other than the original document's server. For example, JavaScript loaded from a.example.com makes a request to b.example.com.

When the request to b.example.com is not "simple", the browser makes a preflight request to determine the permitted HTTP verbs, headers, origins, and some caching parameters. This behavior is an Internet WHATWG standard; browsers comply with this standard to maintain secure operation of webpages by preventing potential malicious behavior.

Backend Implementation

Handle OPTION request

To implement CORS preflight, the browser will send an OPTION request to the server specified in the request. Thus, the backend must handle this HTTP verb on the resource specified.

Using Gorilla, this is as easy as adding the method to the handle function

r.HandleFunc("/resource", route).Methods(http.MethodOptions)

Set Header for Allowed Origin

The allowed origin should be well-known to the server for security purposes. We'll use an environment variable.

origin := os.Getenv("ACCESS_CONTROL_ALLOW_ORIGIN")

w.Header().Set("Access-Control-Allow-Origin", origin)

Any CORS request not coming from this origin will be rejected by the browser.

Set Header for Allowed Headers

Likewise, the headers expected on this route should be well-defined in the code or configurations. We'll use a non-exported global variable here.

var accessControlAllowHeaders = strings.Join(
  []string{ "Content-Type", "X-Example-Custom-Header" },
  ",",
)

w.Header().Set("Access-Control-Allow-Headers", accessControlAllowHeaders)

Set Header for Allowed Methods

Using Gorilla, this is easy as we can simply use the provided middleware function that will read the verbs configured on the handler itself.

	r.Use(mux.CORSMethodMiddleware(r))

Completed Example

package main

import (
	"github.com/gorilla/mux"
	"net/http"
	"os"
	"strings"
)

var accessControlAllowHeaders = strings.Join(
  []string{ "Content-Type", "X-Example-Custom-Header" },
  ",",
)

func main() {
	r := mux.NewRouter()
	r.HandleFunc("/resource", route).Methods(
		http.MethodGet,
		http.MethodPost,
		http.MethodPut,
		http.MethodDelete,
		http.MethodOptions)

	// automatically add HTTP verbs above to allowed methods header
	// https://github.com/gorilla/mux/blob/v1.8.0/middleware.go#L39
	r.Use(mux.CORSMethodMiddleware(r))
	
	http.ListenAndServe(":8000", r)
}

func route(w http.ResponseWriter, r *http.Request) {
	if r.Method == http.MethodOptions {
		origin := os.Getenv("ACCESS_CONTROL_ALLOW_ORIGIN")

		w.Header().Set("Access-Control-Allow-Origin", origin)
		w.Header().Set("Access-Control-Allow-Headers", accessControlAllowHeaders)

		return // just give back the headers
	}
}

You can try it out with curl, but the benefits come when we serve this resource route on b.example.com and access it via a script loaded from a.example.com -- where we're truly sharing a resource across origins.

curl -v -X OPTIONS localhost:8000/resource
curl -V -X GET     localhost:8000/resource -H "Content-Type: application/json" -H "X-ExampleCustom-Header: cool"
curl -V -X POST    localhost:8000/resource -H "Content-Type: application/json" -H "X-ExampleCustom-Header: cool"
curl -V -X PUT     localhost:8000/resource -H "Content-Type: application/json" -H "X-ExampleCustom-Header: cool"
curl -V -X DELETE  localhost:8000/resource -H "Content-Type: application/json" -H "X-ExampleCustom-Header: cool"

PreviousgRPC NextLanguage Idioms

Last updated 4 years ago

hashtagOverview

hashtagBackend Implementation

hashtagHandle OPTION request

hashtagSet Header for Allowed Origin

hashtagSet Header for Allowed Headers

hashtagSet Header for Allowed Methods

hashtagCompleted Example