diff options
-rw-r--r-- | api/websocket_test.go | 4 | ||||
-rw-r--r-- | utils/api.go | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/api/websocket_test.go b/api/websocket_test.go index bda014f06..a65ebc02e 100644 --- a/api/websocket_test.go +++ b/api/websocket_test.go @@ -345,7 +345,7 @@ func TestWebsocketOriginSecurity(t *testing.T) { } // Should succeed now because matching CORS - *utils.Cfg.ServiceSettings.AllowCorsFrom = "www.evil.com" + *utils.Cfg.ServiceSettings.AllowCorsFrom = "http://www.evil.com" _, _, err = websocket.DefaultDialer.Dial(url+model.API_URL_SUFFIX_V3+"/users/websocket", http.Header{ "Origin": []string{"http://www.evil.com"}, }) @@ -354,7 +354,7 @@ func TestWebsocketOriginSecurity(t *testing.T) { } // Should fail because non-matching CORS - *utils.Cfg.ServiceSettings.AllowCorsFrom = "www.good.com" + *utils.Cfg.ServiceSettings.AllowCorsFrom = "http://www.good.com" _, _, err = websocket.DefaultDialer.Dial(url+model.API_URL_SUFFIX_V3+"/users/websocket", http.Header{ "Origin": []string{"http://www.evil.com"}, }) diff --git a/utils/api.go b/utils/api.go index 55f84ef92..663f53c16 100644 --- a/utils/api.go +++ b/utils/api.go @@ -15,7 +15,7 @@ type OriginCheckerProc func(*http.Request) bool func OriginChecker(r *http.Request) bool { origin := r.Header.Get("Origin") - return *Cfg.ServiceSettings.AllowCorsFrom == "*" || strings.Contains(origin, *Cfg.ServiceSettings.AllowCorsFrom) + return *Cfg.ServiceSettings.AllowCorsFrom == "*" || strings.Contains(*Cfg.ServiceSettings.AllowCorsFrom, origin) } func GetOriginChecker(r *http.Request) OriginCheckerProc { |