Iris provides two ways for configuring your Cors, one is by middleware and the other is by plugin.
The difference is that the
-
cors pluginis a wrapper which wraps the wholeiris.Router. -
cors plugincannot be registered per-route, only per-application. -
cors pluginhas all the options that the rs/cors middleware can accept. -
cors middlewareis just aniris.HandlerFuncwhich can be registered per-route. -
cors middlewaredoesn't provides a lot of options, just theAddOriginandAllowCredentials()but these are enough for the most use cases.
Choose the cors middleware if you must use it per-route, otherwise cors plugin which offers more options.
Let's take a quick overview, starting with the cors plugin.
$ go get -u github.com/iris-contrib/plugin/corsiris.Plugins.Add(cors.Default())package main
import (
"github.com/kataras/iris"
"github.com/iris-contrib/plugin/cors"
)
func main() {
app := iris.New()
// cors.Default() setup the router with default options being
// all origins accepted with simple methods (GET, POST). See
// documentation below for more options.
c := cors.Default()
app.Plugins.Add(c)
app.Get("/", func(ctx *iris.Context) {
ctx.JSON(iris.StatusOK, iris.Map{"hello": "world"})
})
app.Listen(":8080")
}Parameters are passed to the middleware thru the cors.New method as follow:
c := cors.New(cors.Options{
AllowedOrigins: []string{"http://foo.com"},
AllowCredentials: true,
})- AllowedOrigins
[]string: A list of origins a cross-domain request can be executed from. If the special*value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.:http://*.domain.com). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin. The default value is*. - AllowOriginFunc
func (origin string) bool: A custom function to validate the origin. It take the origin as argument and returns true if allowed or false otherwise. If this option is set, the content ofAllowedOriginsis ignored - AllowedMethods
[]string: A list of methods the client is allowed to use with cross-domain requests. Default value is simple methods (GETandPOST). - AllowedHeaders
[]string: A list of non simple headers the client is allowed to use with cross-domain requests. - ExposedHeaders
[]string: Indicates which headers are safe to expose to the API of a CORS API specification - AllowCredentials
bool: Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates. The default isfalse. - MaxAge
int: Indicates how long (in seconds) the results of a preflight request can be cached. The default is0which stands for no max age. - OptionsPassthrough
bool: Instructs preflight to let other potential next handlers to process theOPTIONSmethod. Turn this on if your application handlesOPTIONS. - Debug
bool: Debugging flag adds additional output to debug server side CORS issues.
$ go get -u github.com/iris-contrib/middleware/corspackage main
import (
"github.com/kataras/iris"
"github.com/iris-contrib/middleware/cors"
)
func main() {
iris.Use(cors.Default()) // enable all origins, disallow credentials
iris.Get("/home", func(c *iris.Context) {
c.Write("Hello from /home")
})
iris.Listen(":8080")
}package main
import (
"github.com/kataras/iris"
"github.com/iris-contrib/middleware/cors"
)
func main() {
c := cors.New()
// to enable credentials headers
c.AllowCredentials()
// allow origin per-domain
c.AddOrigin("http://yourdomainhere.com")
c.AddOrigin("http://otherdomainhere.com")
iris.Use(c)
iris.Get("/home", func(c *iris.Context) {
c.Write("Hello from /home")
})
iris.Listen(":8080")
}