improve

go-gitea · Dec 22, 2023 · edf3e04 · edf3e04
1 parent e6741b9
commit edf3e04
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 2 deletions.
diff --git a/modules/public/public.go b/modules/public/public.go
@@ -33,7 +33,7 @@ func FileHandlerFunc() http.HandlerFunc {
 	assetFS := AssetFS()
 	return func(resp http.ResponseWriter, req *http.Request) {
 		if req.Method != "GET" && req.Method != "HEAD" {
-			resp.WriteHeader(http.StatusBadRequest)
+			resp.WriteHeader(http.StatusMethodNotAllowed)
 			return
 		}
 		handleRequest(resp, req, assetFS, req.URL.Path)

diff --git a/routers/web/web.go b/routers/web/web.go
@@ -79,11 +79,12 @@ func optionsCorsHandler() func(next http.Handler) http.Handler {
 				if corsHandler != nil && r.Header.Get("Access-Control-Request-Method") != "" {
 					corsHandler(next).ServeHTTP(w, r)
 				} else {
-					// it should explicitly deny OPTIONS requests if CORS is disabled, to avoid the following GET/POST handler to be called by the OPTIONS request
+					// it should explicitly deny OPTIONS requests if CORS handler is executed, to avoid the following GET/POST handler to be incorrectly called by the OPTIONS request
 					w.WriteHeader(http.StatusMethodNotAllowed)
 				}
 				return
 			}
+			// for non-OPTIONS requests, call the CORS handler to add some related headers like "Vary"
 			if corsHandler != nil {
 				corsHandler(next).ServeHTTP(w, r)
 			} else {

diff --git a/tests/integration/cors_test.go b/tests/integration/cors_test.go
@@ -55,6 +55,7 @@ func TestCORS(t *testing.T) {
 			// OPTIONS userinfo for non-CORS
 			req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo")
 			resp = MakeRequest(t, req, http.StatusMethodNotAllowed)
+			assert.NotContains(t, resp.Header().Values("Vary"), "Origin")
 		})
 	})