41 lines
1.3 KiB
Go
41 lines
1.3 KiB
Go
// Copyright 2019 The Gitea Authors. All rights reserved.
|
||
// SPDX-License-Identifier: MIT
|
||
|
||
package setting
|
||
|
||
import (
|
||
"time"
|
||
|
||
"code.gitea.io/gitea/modules/log"
|
||
)
|
||
|
||
// CORSConfig defines CORS settings
|
||
var CORSConfig = struct {
|
||
Enabled bool
|
||
AllowDomain []string // FIXME: this option is from legacy code, it actually works as "AllowedOrigins". When refactoring in the future, the config option should also be renamed together.
|
||
Methods []string
|
||
MaxAge time.Duration
|
||
AllowCredentials bool
|
||
Headers []string
|
||
XFrameOptions string // deprecated
|
||
|
||
// 使用 Content-Security-Policy 请求头代替过时的 X-Frame-Options
|
||
// ref = https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Content-Security-Policy
|
||
ContentSecurityPolicy string
|
||
}{
|
||
AllowDomain: []string{"*"},
|
||
Methods: []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
|
||
Headers: []string{"Content-Type", "User-Agent"},
|
||
MaxAge: 10 * time.Minute,
|
||
|
||
// 默认只支持运行 Gitea最小限度,如需定制需要修改 app.ini
|
||
ContentSecurityPolicy: "default-src 'self' data: 'unsafe-inline' https://mp.weixin.qq.com; img-src * data:",
|
||
}
|
||
|
||
func loadCorsFrom(rootCfg ConfigProvider) {
|
||
mustMapSetting(rootCfg, "cors", &CORSConfig)
|
||
if CORSConfig.Enabled {
|
||
log.Info("CORS Service Enabled")
|
||
}
|
||
}
|