Skip to content

refactor(net/ghttp): trim referer -> AllowOrigin #3986

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

refactor(net/ghttp): trim referer -> AllowOrigin #3986

wants to merge 1 commit into from

Conversation

y1jiong
Copy link
Contributor

@y1jiong y1jiong commented Nov 28, 2024

Broadly speaking, user agents add the Origin request header to:1

According to the documentation, in cross origin requests, the Origin request header is usually carried, so in the code, it is redundant to obtain the Origin based on the Referer.

Footnotes

  1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin#description

@gqcn
Copy link
Member

gqcn commented Nov 29, 2024

@yzy613 This code snippet handles the setting of the Access-Control-Allow-Origin response header for CORS (Cross-Origin Resource Sharing). Let me explain in detail:

  1. First, check for the Origin header:
if origin := r.Request.Header.Get("Origin"); origin != "" {
    options.AllowOrigin = origin
}
  • If the request contains an Origin header, use its value directly as AllowOrigin
  • The Origin header is typically automatically added by browsers in cross-origin requests
  1. If no Origin header is present, try using the Referer:
else if referer := r.Request.Referer(); referer != "" {
    if p := gstr.PosR(referer, "/", 6); p != -1 {
        options.AllowOrigin = referer[:p]
    } else {
        options.AllowOrigin = referer
    }
}
  • If a Referer header exists, attempt to extract the domain portion
  • gstr.PosR(referer, "/", 6) searches for the 6th "/" from right to left
  • If the 6th "/" is found, take the substring before it as AllowOrigin
  • If not found, use the entire Referer value

Example:

  1. With Origin header:
Origin: https://example.com
-> AllowOrigin = "https://example.com"
  1. With only Referer:
Referer: https://example.com/path/to/page.html
-> AllowOrigin = "https://example.com"

The purpose of this logic is to:

  1. Prioritize the standard Origin header
  2. Fall back to extracting domain from Referer if Origin is not available
  3. Ensure proper setting of the CORS Access-Control-Allow-Origin response header
  4. Enable cross-origin requests to work correctly

This is a flexible approach that:

  • Supports standard cross-origin requests
  • Handles special cases where only Referer is available
  • Maintains security by properly setting CORS headers
  • Follows web standards while providing fallback options

This implementation helps in managing cross-origin requests effectively while maintaining security and compatibility across different browsers and scenarios.

@gqcn gqcn added the rejected The proposal or PR is not accepted, which might be conflicted with our design or plan. label Nov 29, 2024
@gqcn gqcn closed this Nov 29, 2024
@y1jiong
Copy link
Contributor Author

y1jiong commented Nov 29, 2024

Example 2 has a problem.

referer := "https://example.com/path/to/page.html"
if p := gstr.PosR(referer, "/", 6); p != -1 {
	fmt.Println(referer[:p]) //https://example.com/path/to
} else {
	fmt.Println(referer)
}

@y1jiong y1jiong mentioned this pull request Nov 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
rejected The proposal or PR is not accepted, which might be conflicted with our design or plan.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@y1jiong @gqcn