github.com/System-Glitch/goyave/v2@v2.10.3-0.20200819142921-51011e75d504/docs/guide/advanced/cors.html (about) 1 <!DOCTYPE html> 2 <html lang="en-US"> 3 <head> 4 <meta charset="utf-8"> 5 <meta name="viewport" content="width=device-width,initial-scale=1"> 6 <title>CORS | Goyave</title> 7 <meta name="generator" content="VuePress 1.5.3"> 8 <link rel="icon" type="image/png" sizes="16x16" href="/goyave/goyave_16.png"> 9 <link rel="icon" type="image/png" sizes="32x32" href="/goyave/goyave_32.png"> 10 <link rel="icon" type="image/png" sizes="64x64" href="/goyave/goyave_64.png"> 11 <link rel="icon" type="image/png" sizes="128x128" href="/goyave/goyave_128.png"> 12 <link rel="icon" type="image/png" sizes="256x256" href="/goyave/goyave_256.png"> 13 <link rel="icon" type="image/png" sizes="512x512" href="/goyave/goyave_512.png"> 14 <meta name="description" content="Goyave is a Golang web API framework aiming at cleanliness, fast development and power."> 15 <meta name="og:title" content="CORS - Goyave"> 16 <meta name="twitter:title" content="CORS - Goyave"> 17 <meta name="title" content="CORS - Goyave"> 18 <meta property="twitter:description" content="Goyave is a Golang web API framework aiming at cleanliness, fast development and power."> 19 <meta property="twitter:image:src" content="https://system-glitch.github.io/goyave/goyave_banner.png"> 20 <meta property="twitter:card" content="summary_large_image"> 21 <meta property="og:type" content="website"> 22 <meta property="og:description" content="Goyave is a Golang web API framework aiming at cleanliness, fast development and power."> 23 <meta property="og:image" content="https://system-glitch.github.io/goyave/goyave_banner.png"> 24 <meta property="og:site_name" content="Goyave"> 25 <link rel="preload" href="/goyave/assets/css/0.styles.589fd562.css" as="style"><link rel="preload" href="/goyave/assets/js/app.092490a7.js" as="script"><link rel="preload" href="/goyave/assets/js/4.75a9cc68.js" as="script"><link rel="preload" href="/goyave/assets/js/1.121dd9ed.js" as="script"><link rel="preload" href="/goyave/assets/js/9.8e043d60.js" as="script"><link rel="preload" href="/goyave/assets/js/5.c83f1192.js" as="script"><link rel="prefetch" href="/goyave/assets/js/10.2f07bbf5.js"><link rel="prefetch" href="/goyave/assets/js/11.2d66fdef.js"><link rel="prefetch" href="/goyave/assets/js/12.63171b15.js"><link rel="prefetch" href="/goyave/assets/js/13.770050f3.js"><link rel="prefetch" href="/goyave/assets/js/14.b933d8cf.js"><link rel="prefetch" href="/goyave/assets/js/15.36df2a66.js"><link rel="prefetch" href="/goyave/assets/js/16.ed66719e.js"><link rel="prefetch" href="/goyave/assets/js/17.7bef5f05.js"><link rel="prefetch" href="/goyave/assets/js/18.470b55ed.js"><link rel="prefetch" href="/goyave/assets/js/19.90e0dab8.js"><link rel="prefetch" href="/goyave/assets/js/20.3a300ca3.js"><link rel="prefetch" href="/goyave/assets/js/21.c3fd6053.js"><link rel="prefetch" href="/goyave/assets/js/22.d5569617.js"><link rel="prefetch" href="/goyave/assets/js/23.931b2034.js"><link rel="prefetch" href="/goyave/assets/js/24.1a4755e7.js"><link rel="prefetch" href="/goyave/assets/js/25.0d463913.js"><link rel="prefetch" href="/goyave/assets/js/26.3c173a7a.js"><link rel="prefetch" href="/goyave/assets/js/27.9c5b36f2.js"><link rel="prefetch" href="/goyave/assets/js/28.41e055b7.js"><link rel="prefetch" href="/goyave/assets/js/29.b87adf4a.js"><link rel="prefetch" href="/goyave/assets/js/3.ef71e77d.js"><link rel="prefetch" href="/goyave/assets/js/6.2336bf0c.js"><link rel="prefetch" href="/goyave/assets/js/7.d60e55c1.js"><link rel="prefetch" href="/goyave/assets/js/8.2ee33a42.js"> 26 <link rel="stylesheet" href="/goyave/assets/css/0.styles.589fd562.css"> 27 </head> 28 <body> 29 <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="sidebar-button"><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" role="img" viewBox="0 0 448 512" class="icon"><path fill="currentColor" d="M436 124H12c-6.627 0-12-5.373-12-12V80c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12zm0 160H12c-6.627 0-12-5.373-12-12v-32c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12zm0 160H12c-6.627 0-12-5.373-12-12v-32c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12z"></path></svg></div> <a href="/goyave/" class="home-link router-link-active"><img src="/goyave/goyave_64.png" alt="Goyave" class="logo"> <span class="site-name can-hide">Goyave</span></a> <div class="links"><div class="user-settings"><a title="Dark theme" href="#" class="settings-button"><svg aria-hidden="true" data-prefix="fas" data-icon="cog" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" class="svg-inline--fa fa-cog fa-w-16 settings-icon"><path fill="currentColor" d="M8 0c-4.4 0-8 3.6-8 8s3.6 8 8 8 8-3.6 8-8-3.6-8-8-8zM8 15c-3.9 0-7-3.1-7-7 0-2.4 1.2-4.6 3.2-5.9-0.1 0.6-0.2 1.3-0.2 1.9 0 4.9 4 8.9 8.9 9-1.3 1.3-3 2-4.9 2z"></path></svg></a></div> <div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><div class="nav-item"><a href="/goyave/guide/" class="nav-link router-link-active"> 30 Guide 31 </a></div><div class="nav-item"><a href="https://pkg.go.dev/github.com/System-Glitch/goyave/v2" target="_blank" rel="noopener noreferrer" class="nav-link external"> 32 pkg.go.dev 33 <svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a></div> <a href="https://github.com/System-Glitch/goyave" target="_blank" rel="noopener noreferrer" class="repo-link"> 34 GitHub 35 <svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a></nav></div></header> <div class="sidebar-mask"></div> <aside class="sidebar"><nav class="nav-links"><div class="nav-item"><a href="/goyave/guide/" class="nav-link router-link-active"> 36 Guide 37 </a></div><div class="nav-item"><a href="https://pkg.go.dev/github.com/System-Glitch/goyave/v2" target="_blank" rel="noopener noreferrer" class="nav-link external"> 38 pkg.go.dev 39 <svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a></div> <a href="https://github.com/System-Glitch/goyave" target="_blank" rel="noopener noreferrer" class="repo-link"> 40 GitHub 41 <svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a></nav> <ul class="sidebar-links"><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>Guide</span> <span class="arrow right"></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>The Basics</span> <span class="arrow right"></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>Advanced</span> <span class="arrow down"></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/goyave/guide/advanced/helpers.html" class="sidebar-link">Helpers</a></li><li><a href="/goyave/guide/advanced/authentication.html" class="sidebar-link">Authentication</a></li><li><a href="/goyave/guide/advanced/localization.html" class="sidebar-link">Localization</a></li><li><a href="/goyave/guide/advanced/testing.html" class="sidebar-link">Testing</a></li><li><a href="/goyave/guide/advanced/multi-services.html" class="sidebar-link">Multi-services</a></li><li><a href="/goyave/guide/advanced/cors.html" aria-current="page" class="active sidebar-link">CORS</a><ul class="sidebar-sub-headers"><li class="sidebar-sub-header"><a href="/goyave/guide/advanced/cors.html#introduction" class="sidebar-link">Introduction</a></li><li class="sidebar-sub-header"><a href="/goyave/guide/advanced/cors.html#enabling-cors" class="sidebar-link">Enabling CORS</a></li><li class="sidebar-sub-header"><a href="/goyave/guide/advanced/cors.html#options" class="sidebar-link">Options</a></li></ul></li><li><a href="/goyave/guide/advanced/status-handlers.html" class="sidebar-link">Status Handlers</a></li><li><a href="/goyave/guide/advanced/logging.html" class="sidebar-link">Logging</a></li></ul></section></li></ul> </aside> <main class="page"> <div class="theme-default-content content__default"><h1 id="cors"><a href="#cors" class="header-anchor">#</a> CORS <span class="badge tip" style="vertical-align:top;" data-v-15b7b770>Since v2.3.0</span></h1> <p></p><div class="table-of-contents"><ul><li><a href="#introduction">Introduction</a></li><li><a href="#enabling-cors">Enabling CORS</a></li><li><a href="#options">Options</a><ul><li><a href="#alloworigins">AllowOrigins</a></li><li><a href="#allowedmethods">AllowedMethods</a></li><li><a href="#allowedheaders">AllowedHeaders</a></li><li><a href="#exposedheaders">ExposedHeaders</a></li><li><a href="#maxage">MaxAge</a></li><li><a href="#allowcredentials">AllowCredentials</a></li><li><a href="#optionspassthrough">OptionsPassthrough</a></li></ul></li></ul></div><p></p> <h2 id="introduction"><a href="#introduction" class="header-anchor">#</a> Introduction</h2> <p>CORS, or "<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS" target="_blank" rel="noopener noreferrer">Cross-Origin Resource Sharing<svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a>" is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, <strong>access to selected resources from a different origin</strong>. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own. Enabling CORS is done by adding a set of specific headers allowing the browser and server to communicate about which requests, methods and headers are or are not allowed. CORS support also comes with <strong>pre-flight</strong> <code>OPTIONS</code> requests support.</p> <p>Most of the time, the API is using another domain as the clients. For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. That's why you should configure CORS for your API.</p> <h2 id="enabling-cors"><a href="#enabling-cors" class="header-anchor">#</a> Enabling CORS</h2> <p>All functions below require the <code>cors</code> package to be imported.</p> <div class="language-go extra-class"><pre class="language-go"><code><span class="token keyword">import</span> <span class="token string">"github.com/System-Glitch/goyave/v2/cors"</span> 42 </code></pre></div><p>CORS options are set on <strong>routers</strong>. If the passed options are not <code>nil</code>, the CORS core middleware is automatically added.</p> <div class="language-go extra-class"><pre class="language-go"><code>router<span class="token punctuation">.</span><span class="token function">CORS</span><span class="token punctuation">(</span>cors<span class="token punctuation">.</span><span class="token function">Default</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span> 43 </code></pre></div><p>CORS options should be defined <strong>before middleware and route definition</strong>. All of this router's sub-routers <strong>inherit</strong> CORS options by default. If you want to remove the options from a sub-router, or use different ones, simply create another <code>cors.Options</code> object and assign it.</p> <div class="language-go extra-class"><pre class="language-go"><code>router<span class="token punctuation">.</span><span class="token function">CORS</span><span class="token punctuation">(</span>cors<span class="token punctuation">.</span><span class="token function">Default</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span> 44 45 subrouter <span class="token operator">:=</span> router<span class="token punctuation">.</span><span class="token function">Subrouter</span><span class="token punctuation">(</span><span class="token string">"/products"</span><span class="token punctuation">)</span> 46 subrouter<span class="token punctuation">.</span><span class="token function">CORS</span><span class="token punctuation">(</span><span class="token boolean">nil</span><span class="token punctuation">)</span> <span class="token comment">// Remove CORS options</span> 47 48 options <span class="token operator">:=</span> cors<span class="token punctuation">.</span><span class="token function">Default</span><span class="token punctuation">(</span><span class="token punctuation">)</span> 49 options<span class="token punctuation">.</span>AllowCredentials <span class="token operator">=</span> <span class="token boolean">true</span> 50 subrouter<span class="token punctuation">.</span><span class="token function">CORS</span><span class="token punctuation">(</span>options<span class="token punctuation">)</span> <span class="token comment">// Different CORS options</span> 51 </code></pre></div><div class="custom-block tip"><p class="custom-block-title">TIP</p> <p>All routes defined in a router having CORS options will match the <code>OPTIONS</code> HTTP method to allow <strong>pre-flight</strong> requests, even if it's not explicitly told in the route definition.</p></div> <h2 id="options"><a href="#options" class="header-anchor">#</a> Options</h2> <p><code>cors.Default()</code> can be used as a starting point for custom configuration.</p> <div class="language-go extra-class"><pre class="language-go"><code>options <span class="token operator">:=</span> cors<span class="token punctuation">.</span><span class="token function">Default</span><span class="token punctuation">(</span><span class="token punctuation">)</span> 52 options<span class="token punctuation">.</span>AllowedOrigins <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token builtin">string</span><span class="token punctuation">{</span><span class="token string">"https://google.com"</span><span class="token punctuation">,</span> <span class="token string">"https://images.google.com"</span><span class="token punctuation">}</span> 53 router<span class="token punctuation">.</span><span class="token function">CORS</span><span class="token punctuation">(</span>options<span class="token punctuation">)</span> 54 </code></pre></div><p>Find the options reference below:</p> <h3 id="alloworigins"><a href="#alloworigins" class="header-anchor">#</a> AllowOrigins</h3> <p>A list of origins a cross-domain request can be executed from. If the first value in the slice is <code>*</code> or if the slice is empty, all origins will be allowed.</p> <p><strong>Type:</strong> <code>[]string</code> <strong>Default:</strong> <code>["*"]</code></p> <h3 id="allowedmethods"><a href="#allowedmethods" class="header-anchor">#</a> AllowedMethods</h3> <p>A list of methods the client is allowed to use with cross-domain requests.</p> <p><strong>Type:</strong> <code>[]string</code> <strong>Default:</strong> <code>["HEAD", "GET", "POST", "PUT", "PATCH", "DELETE"]</code></p> <h3 id="allowedheaders"><a href="#allowedheaders" class="header-anchor">#</a> AllowedHeaders</h3> <p>A list of non simple headers the client is allowed to use with cross-domain requests. If the first value in the slice is <code>*</code>, all headers will be allowed. If the slice is empty, the request's headers will be reflected.</p> <p><strong>Type:</strong> <code>[]string</code> <strong>Default:</strong> <code>["Origin", "Accept", "Content-Type", "X-Requested-With", "Authorization"]</code></p> <h3 id="exposedheaders"><a href="#exposedheaders" class="header-anchor">#</a> ExposedHeaders</h3> <p>Indicates which headers are safe to expose to the API of a CORS API specification.</p> <p><strong>Type:</strong> <code>[]string</code> <strong>Default:</strong> <code>[]</code></p> <h3 id="maxage"><a href="#maxage" class="header-anchor">#</a> MaxAge</h3> <p>Indicates how long the results of a preflight request can be cached.</p> <p><strong>Type:</strong> <code>time.Duration</code> <strong>Default:</strong> <code>12 hours (43200 seconds)</code></p> <h3 id="allowcredentials"><a href="#allowcredentials" class="header-anchor">#</a> AllowCredentials</h3> <p>Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.</p> <p><strong>Type:</strong> <code>bool</code> <strong>Default:</strong> <code>false</code></p> <h3 id="optionspassthrough"><a href="#optionspassthrough" class="header-anchor">#</a> OptionsPassthrough</h3> <p>Instructs <strong>pre-flight</strong> to let other potential next handlers to process the <code>OPTIONS</code> method. Turn this on if your application handles <code>OPTIONS</code>.</p> <p><strong>Type:</strong> <code>bool</code> <strong>Default:</strong> <code>false</code></p></div> <footer class="page-edit"><div class="edit-link"><a href="https://github.com/System-Glitch/goyave/edit/master/docs_src/src/guide/advanced/cors.md" target="_blank" rel="noopener noreferrer">Edit this page on GitHub</a> <svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></div> <!----></footer> <div class="page-nav"><p class="inner"><span class="prev"> 55 ← 56 <a href="/goyave/guide/advanced/multi-services.html" class="prev"> 57 Multi-services 58 </a></span> <span class="next"><a href="/goyave/guide/advanced/status-handlers.html"> 59 Status Handlers 60 </a> 61 → 62 </span></p></div> </main></div><div class="global-ui"><!----></div></div> 63 <script src="/goyave/assets/js/app.092490a7.js" defer></script><script src="/goyave/assets/js/4.75a9cc68.js" defer></script><script src="/goyave/assets/js/1.121dd9ed.js" defer></script><script src="/goyave/assets/js/9.8e043d60.js" defer></script><script src="/goyave/assets/js/5.c83f1192.js" defer></script> 64 </body> 65 </html>