feat(middleware/cors): Add support for Access-Control-Allow-Private-N…

…etwork (#2908) * Add support for Access-Control-Allow-Private-Network in CORS middleware * Access-Control-Allow-Private-Network in CORS middleware documentation update * Access-Control-Allow-Private-Network in CORS middleware tests * Fix lint issues * Fix formatting * Rename config option, add more unit-tests * Fix syntax issue * Fix conditional * Fix formatting, add more unit-tests * chore(middleware/cors): Update middleware/cors/cors.go * chore(middleware/cors): add HeaderAccessControlRequestPrivateNetowkr * test(middleware/cors): fix CORS headers * docs(middleware/cors): table order and alignment --------- Co-authored-by: Juan Calderon-Perez <[email protected]> Co-authored-by: Juan Calderon-Perez <[email protected]> Co-authored-by: Jason McNeil <[email protected]>
gofiber · Mar 22, 2024 · 5e8df0a · 5e8df0a · ReneWerner87 · Mar 22, 2024
1 parent 7fa8b2d
commit 5e8df0a
Show file tree

Hide file tree

Showing 4 changed files with 260 additions and 137 deletions.
diff --git a/docs/api/middleware/cors.md b/docs/api/middleware/cors.md
@@ -110,16 +110,18 @@ panic: [CORS] 'AllowCredentials' is true, but 'AllowOrigins' cannot be set to `"
 
 ## Config
 
-| Property | Type | Description | Default |
-|:-----------------|:---------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------|
-| Next | `func(fiber.Ctx) bool` | Next defines a function to skip this middleware when returned true. | `nil` |
-| AllowOriginsFunc | `func(origin string) bool` | `AllowOriginsFunc` is a function that dynamically determines whether to allow a request based on its origin. If this function returns `true`, the 'Access-Control-Allow-Origin' response header will be set to the request's 'origin' header. This function is only used if the request's origin doesn't match any origin in `AllowOrigins`. | `nil` |
-| AllowOrigins | `string` | AllowOrigins defines a comma separated list of origins that may access the resource. This supports subdomain matching, so you can use a value like "https://*.example.com" to allow any subdomain of example.com to submit requests. | `"*"` |
-| AllowMethods | `string` | AllowMethods defines a list of methods allowed when accessing the resource. This is used in response to a preflight request. | `"GET,POST,HEAD,PUT,DELETE,PATCH"` |
-| AllowHeaders | `string` | AllowHeaders defines a list of request headers that can be used when making the actual request. This is in response to a preflight request. | `""` |
-| AllowCredentials | `bool` | AllowCredentials indicates whether or not the response to the request can be exposed when the credentials flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note: If true, AllowOrigins cannot be set to a wildcard (`"*"`) to prevent security vulnerabilities. | `false` |
-| ExposeHeaders | `string` | ExposeHeaders defines whitelist headers that clients are allowed to access. | `""` |
-| MaxAge | `int` | MaxAge indicates how long (in seconds) the results of a preflight request can be cached. If you pass MaxAge 0, the Access-Control-Max-Age header will not be added and the browser will use 5 seconds by default. To disable caching completely, pass MaxAge value negative. It will set the Access-Control-Max-Age header to 0. | `0` |
+| Property | Type | Description | Default |
+|:---------------------|:----------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------|
+| AllowCredentials | `bool` | AllowCredentials indicates whether or not the response to the request can be exposed when the credentials flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note: If true, AllowOrigins cannot be set to a wildcard (`"*"`) to prevent security vulnerabilities. | `false` |
+| AllowHeaders | `string` | AllowHeaders defines a list of request headers that can be used when making the actual request. This is in response to a preflight request. | `""` |
+| AllowMethods | `string` | AllowMethods defines a list of methods allowed when accessing the resource. This is used in response to a preflight request. | `"GET,POST,HEAD,PUT,DELETE,PATCH"` |
+| AllowOrigins | `string` | AllowOrigins defines a comma-separated list of origins that may access the resource. This supports subdomain matching, so you can use a value like "https://*.example.com" to allow any subdomain of example.com to submit requests. | `"*"` |
+| AllowOriginsFunc | `func(origin string) bool` | `AllowOriginsFunc` is a function that dynamically determines whether to allow a request based on its origin. If this function returns `true`, the 'Access-Control-Allow-Origin' response header will be set to the request's 'origin' header. This function is only used if the request's origin doesn't match any origin in `AllowOrigins`. | `nil` |
+| AllowPrivateNetwork | `bool` | Indicates whether the `Access-Control-Allow-Private-Network` response header should be set to `true`, allowing requests from private networks. This aligns with modern security practices for web applications interacting with private networks. | `false` |
+| ExposeHeaders | `string` | ExposeHeaders defines whitelist headers that clients are allowed to access. | `""` |
+| MaxAge | `int` | MaxAge indicates how long (in seconds) the results of a preflight request can be cached. If you pass MaxAge 0, the Access-Control-Max-Age header will not be added and the browser will use 5 seconds by default. To disable caching completely, pass MaxAge value negative. It will set the Access-Control-Max-Age header to 0. | `0` |
+| Next | `func(fiber.Ctx) bool` | Next defines a function to skip this middleware when returned true. | `nil` |
+
 
 ## Default Config
 
@@ -140,6 +142,7 @@ var ConfigDefault = Config{
  AllowCredentials: false,
  ExposeHeaders: "",
  MaxAge: 0,
+ AllowPrivateNetwork: false,
 }
 ```
Benchmark suite	Current: `5e8df0a`	Previous: `1607d87`	Ratio
`Benchmark_Etag`	`199.7` ns/op 0 B/op 0 allocs/op	`97.85` ns/op 0 B/op 0 allocs/op	`2.04`
`Benchmark_Middleware_Favicon`	`211.8` ns/op 12 B/op 4 allocs/op	`88.92` ns/op 3 B/op 1 allocs/op	`2.38`