[server] Add Go 1.25 CORS protection

Author: infogulch

build.go

@@ -29,6 +29,7 @@ type builder struct {
 	*InstanceStats
 	m      *minify.M
 	routes []InstanceRoute
+	router *http.ServeMux
 }
 
 type InstanceStats struct {

config.go

@@ -30,6 +30,8 @@ type Config struct {
 	// Whether html templates are minified at load time. Default `true`.
 	Minify bool `json:"minify,omitempty" arg:"-m,--minify" default:"true"`
 
+	CrossOrigin CrossOriginConfig `json:"crossorigin"`
+
 	Databases       []DotDBConfig    `json:"databases" arg:"-"`
 	Flags           []DotFlagsConfig `json:"flags" arg:"-"`
 	Directories     []DotDirConfig   `json:"directories" arg:"-"`
@@ -53,6 +55,12 @@ type Config struct {
 	Logger *slog.Logger `json:"-" arg:"-"`
 }
 
+type CrossOriginConfig struct {
+	Disabled               bool     `json:"disabled" arg:"--disable-cors" default:"false"`
+	TrustedOrigins         []string `json:"trusted_origins" arg:"--trusted-origin,separate"`
+	InsecureBypassPatterns []string `json:"insecure_bypass_patterns" arg:"--insecure-bypass-pattern,separate"`
+}
+
 // FillDefaults sets default values for unset fields
 func (config *Config) Defaults() *Config {
 	if config.TemplatesDir == "" {

instance.go

@@ -40,10 +40,11 @@ import (
 //
 // See also [Server] which manages instances and enables reloading them.
 type Instance struct {
+	id      int64
+	handler http.Handler
+
 	config Config
-	id     int64
 
-	router    *http.ServeMux
 	files     map[string]*fileInfo
 	templates *template.Template
 	funcs     template.FuncMap
@@ -199,6 +200,17 @@ func (config *Config) Instance(cfgs ...Option) (*Instance, *InstanceStats, []Ins
 			slog.Int("staticFilesAlternateEncodings", build.StaticFilesAlternateEncodings),
 		))
 
+	if !config.CrossOrigin.Disabled {
+		handler := http.NewCrossOriginProtection()
+		for _, origin := range config.CrossOrigin.TrustedOrigins {
+			handler.AddTrustedOrigin(origin)
+		}
+		for _, pattern := range config.CrossOrigin.InsecureBypassPatterns {
+			handler.AddInsecureBypassPattern(pattern)
+		}
+		build.handler = handler.Handler(build.router)
+	}
+
 	return build.Instance, build.InstanceStats, build.routes, nil
 }
 
@@ -251,7 +263,7 @@ func (instance *Instance) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	log := instance.config.Logger.With(slog.Group("serve",
 		slog.String("requestid", rid),
 	))
-	log.LogAttrs(r.Context(), slog.LevelDebug, "serving request",
+	log.LogAttrs(ctx, slog.LevelDebug, "serving request",
 		slog.String("user-agent", r.Header.Get("User-Agent")),
 		slog.String("method", r.Method),
 		slog.String("requestPath", r.URL.Path),
@@ -261,7 +273,7 @@ func (instance *Instance) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	r = r.WithContext(ctx)
 	metrics := httpsnoop.CaptureMetrics(instance.router, w, r)
 
-	log.LogAttrs(r.Context(), levelDebug2, "request served",
+	log.LogAttrs(ctx, levelDebug2, "request served",
 		slog.Group("response",
 			slog.Duration("duration", metrics.Duration),
 			slog.Int("statusCode", metrics.Code),

test/tests/cors.hurl

@@ -0,0 +1,36 @@
+# Test CORS protection with untrusted origin
+OPTIONS http://localhost:8080/
+Origin: http://evil.com
+Access-Control-Request-Method: GET
+
+HTTP 405
+
+# Test CORS protection with simple cross-origin request
+GET http://localhost:8080/
+Origin: http://evil.com
+
+HTTP 200
+[Asserts]
+header "Access-Control-Allow-Origin" not exists
+
+# Test preflight with trusted origin (but none are trusted, so 405)
+# Since no trusted origins, even "null" or same should be protected if specified.
+# But for localhost:8080, if hurl is localhost:8080 to server localhost:8080, same origin, no protection needed.
+# But to test, using cross-origin.
+
+# Test OPTIONS preflight with Access-Control-Request-Method
+OPTIONS http://localhost:8080/assets/file.txt
+Origin: http://example.com
+Access-Control-Request-Method: GET
+
+HTTP 405
+
+# Test GET with cross-origin
+GET http://localhost:8080/assets/file.txt
+Origin: http://example.com
+
+HTTP 200
+Content-Type: text/plain; charset=utf-8
+[Asserts]
+header "Access-Control-Allow-Origin" not exists
+body == "testing"