feat: always allow some low-level headers in responses

This commit is contained in:
Daniel G. Taylor 2022-02-26 23:26:52 -08:00
parent 9711a48852
commit a1d48c41e3
No known key found for this signature in database
GPG key ID: 74AE195C5112E534

View file

@ -13,6 +13,19 @@ import (
"github.com/goccy/go-yaml"
)
// allowedHeaders is a list of built-in headers that are always allowed without
// explicitly being documented. Mostly they are low-level HTTP headers that
// control access or connection settings.
var allowedHeaders = map[string]bool{
"access-control-allow-origin": true,
"access-control-allow-methods": true,
"access-control-allow-headers": true,
"access-control-max-age": true,
"connection": true,
"keep-alive": true,
"vary": true,
}
// ContextFromRequest returns a Huma context for a request, useful for
// accessing high-level convenience functions from e.g. middleware.
func ContextFromRequest(w http.ResponseWriter, r *http.Request) Context {
@ -101,6 +114,10 @@ func (c *hcontext) WriteHeader(status int) {
// Check that all headers were allowed to be sent.
for name := range c.Header() {
if allowedHeaders[strings.ToLower(name)] {
continue
}
found := false
for _, h := range allowed {