@@ -19,6 +19,13 @@ type (
1919 // Optional. Default value []string{"*"}.
2020 AllowOrigins []string `yaml:"allow_origins"`
2121
22+ // AllowOriginFunc is a custom function to validate the origin. It takes the
23+ // origin as an argument and returns true if allowed or false otherwise. If
24+ // an error is returned, it is returned by the handler. If this option is
25+ // set, AllowOrigins is ignored.
26+ // Optional.
27+ AllowOriginFunc func (origin string ) (bool , error ) `yaml:"allow_origin_func"`
28+
2229 // AllowMethods defines a list methods allowed when accessing the resource.
2330 // This is used in response to a preflight request.
2431 // Optional. Default value DefaultCORSConfig.AllowMethods.
@@ -113,40 +120,50 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
113120 return c .NoContent (http .StatusNoContent )
114121 }
115122
116- // Check allowed origins
117- for _ , o := range config .AllowOrigins {
118- if o == "*" && config .AllowCredentials {
119- allowOrigin = origin
120- break
121- }
122- if o == "*" || o == origin {
123- allowOrigin = o
124- break
123+ if config .AllowOriginFunc != nil {
124+ allowed , err := config .AllowOriginFunc (origin )
125+ if err != nil {
126+ return err
125127 }
126- if matchSubdomain ( origin , o ) {
128+ if allowed {
127129 allowOrigin = origin
128- break
129130 }
130- }
131-
132- // Check allowed origin patterns
133- for _ , re := range allowOriginPatterns {
134- if allowOrigin == "" {
135- didx := strings .Index (origin , "://" )
136- if didx == - 1 {
137- continue
131+ } else {
132+ // Check allowed origins
133+ for _ , o := range config .AllowOrigins {
134+ if o == "*" && config .AllowCredentials {
135+ allowOrigin = origin
136+ break
138137 }
139- domAuth := origin [didx + 3 :]
140- // to avoid regex cost by invalid long domain
141- if len (domAuth ) > 253 {
138+ if o == "*" || o == origin {
139+ allowOrigin = o
142140 break
143141 }
144-
145- if match , _ := regexp .MatchString (re , origin ); match {
142+ if matchSubdomain (origin , o ) {
146143 allowOrigin = origin
147144 break
148145 }
149146 }
147+
148+ // Check allowed origin patterns
149+ for _ , re := range allowOriginPatterns {
150+ if allowOrigin == "" {
151+ didx := strings .Index (origin , "://" )
152+ if didx == - 1 {
153+ continue
154+ }
155+ domAuth := origin [didx + 3 :]
156+ // to avoid regex cost by invalid long domain
157+ if len (domAuth ) > 253 {
158+ break
159+ }
160+
161+ if match , _ := regexp .MatchString (re , origin ); match {
162+ allowOrigin = origin
163+ break
164+ }
165+ }
166+ }
150167 }
151168
152169 // Origin not allowed
0 commit comments