Iris provides two ways for configuring your Cors, one is by middleware and the other is by plugin.
The difference is that the
-
cors plugin
is a wrapper which wraps the wholeiris.Router
. -
cors plugin
cannot be registered per-route, only per-application. -
cors plugin
has all the options that the rs/cors middleware can accept. -
cors middleware
is just aniris.HandlerFunc
which can be registered per-route. -
cors middleware
doesn't provides a lot of options, just theAddOrigin
andAllowCredentials()
but these are enough for the most use cases.
Choose the cors middleware if you must use it per-route, otherwise cors plugin which offers more options.
Let's take a quick overview, starting with the cors plugin
.
$ go get -u github.com/iris-contrib/plugin/cors
iris.Plugins.Add(cors.Default())
package main
import (
"github.com/kataras/iris"
"github.com/iris-contrib/plugin/cors"
)
func main() {
app := iris.New()
// cors.Default() setup the router with default options being
// all origins accepted with simple methods (GET, POST). See
// documentation below for more options.
c := cors.Default()
app.Plugins.Add(c)
app.Get("/", func(ctx *iris.Context) {
ctx.JSON(iris.StatusOK, iris.Map{"hello": "world"})
})
app.Listen(":8080")
}
Parameters are passed to the middleware thru the cors.New
method as follow:
c := cors.New(cors.Options{
AllowedOrigins: []string{"http://foo.com"},
AllowCredentials: true,
})
- AllowedOrigins
[]string
: A list of origins a cross-domain request can be executed from. If the special*
value is present in the list, all origins will be allowed. An origin may contain a wildcard (*
) to replace 0 or more characters (i.e.:http://*.domain.com
). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin. The default value is*
. - AllowOriginFunc
func (origin string) bool
: A custom function to validate the origin. It take the origin as argument and returns true if allowed or false otherwise. If this option is set, the content ofAllowedOrigins
is ignored - AllowedMethods
[]string
: A list of methods the client is allowed to use with cross-domain requests. Default value is simple methods (GET
andPOST
). - AllowedHeaders
[]string
: A list of non simple headers the client is allowed to use with cross-domain requests. - ExposedHeaders
[]string
: Indicates which headers are safe to expose to the API of a CORS API specification - AllowCredentials
bool
: Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates. The default isfalse
. - MaxAge
int
: Indicates how long (in seconds) the results of a preflight request can be cached. The default is0
which stands for no max age. - OptionsPassthrough
bool
: Instructs preflight to let other potential next handlers to process theOPTIONS
method. Turn this on if your application handlesOPTIONS
. - Debug
bool
: Debugging flag adds additional output to debug server side CORS issues.
$ go get -u github.com/iris-contrib/middleware/cors
package main
import (
"github.com/kataras/iris"
"github.com/iris-contrib/middleware/cors"
)
func main() {
iris.Use(cors.Default()) // enable all origins, disallow credentials
iris.Get("/home", func(c *iris.Context) {
c.Write("Hello from /home")
})
iris.Listen(":8080")
}
package main
import (
"github.com/kataras/iris"
"github.com/iris-contrib/middleware/cors"
)
func main() {
c := cors.New()
// to enable credentials headers
c.AllowCredentials()
// allow origin per-domain
c.AddOrigin("http://yourdomainhere.com")
c.AddOrigin("http://otherdomainhere.com")
iris.Use(c)
iris.Get("/home", func(c *iris.Context) {
c.Write("Hello from /home")
})
iris.Listen(":8080")
}