|
|
@@ -236,12 +236,12 @@ func (s *apiService) Serve() {
|
|
|
|
|
|
guiCfg := s.cfg.GUI()
|
|
|
|
|
|
+ // Add the CORS handling
|
|
|
+ handler := corsMiddleware(mux)
|
|
|
+
|
|
|
// Wrap everything in CSRF protection. The /rest prefix should be
|
|
|
// protected, other requests will grant cookies.
|
|
|
- handler := csrfMiddleware(s.id.String()[:5], "/rest", guiCfg, mux)
|
|
|
-
|
|
|
- // Add the CORS handling
|
|
|
- handler = corsMiddleware(handler)
|
|
|
+ handler = csrfMiddleware(s.id.String()[:5], "/rest", guiCfg, handler)
|
|
|
|
|
|
// Add our version and ID as a header to responses
|
|
|
handler = withDetailsMiddleware(s.id, handler)
|
|
|
@@ -382,6 +382,10 @@ func corsMiddleware(next http.Handler) http.Handler {
|
|
|
// Handle CORS headers and CORS OPTIONS request.
|
|
|
// CORS OPTIONS request are typically sent by browser during AJAX preflight
|
|
|
// when the browser initiate a POST request.
|
|
|
+ //
|
|
|
+ // As the OPTIONS request is unauthorized, this handler must be the first
|
|
|
+ // of the chain.
|
|
|
+ //
|
|
|
// See https://www.w3.org/TR/cors/ for details.
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
// Add a generous access-control-allow-origin header since we may be
|
Audrius Butkevicius