// WithCORS is a simple CORS implementation that wraps an http Handler. // Pass nil for allowedMethods and allowedHeaders to use the defaults. If allowedOriginPatterns // is empty or nil, no CORS support is installed. func WithCORS(handler http.Handler, allowedOriginPatterns []string, allowedMethods []string, allowedHeaders []string, exposedHeaders []string, allowCredentials string) http.Handler { … } // isOriginAllowed returns true if the given origin header in the // request is allowed CORS. // // From https://www.rfc-editor.org/rfc/rfc6454#page-13 // // a) The origin header can contain host and/or port // serialized-origin = scheme "://" host [ ":" port ] // // b) In some cases, a number of origins contribute to causing the user // agents to issue an HTTP request. In those cases, the user agent MAY // list all the origins in the Origin header field. For example, if the // HTTP request was initially issued by one origin but then later // redirected by another origin, the user agent MAY inform the server // that two origins were involved in causing the user agent to issue the // request // origin-list = serialized-origin *( SP serialized-origin ) func isOriginAllowed(originHeader string, allowedOriginPatternsREs []*regexp.Regexp) bool { … } func allowedOriginRegexps(allowedOrigins []string) []*regexp.Regexp { … } // Takes a list of strings and compiles them into a list of regular expressions func compileRegexps(regexpStrings []string) ([]*regexp.Regexp, error) { … }