~emersion/soju

87b75c44d204a4ff6ef1eb93415835381f567c67 — Simon Ser a month ago eb524bf
fileupload: fix http-origin pattern matching

Mirror what github.com/nhooyr/websocket does and match the host
only. Using the full URL never results in a match, because it
contains slash characters.
1 files changed, 1 insertions(+), 1 deletions(-)

M fileupload/fileupload.go
M fileupload/fileupload.go => fileupload/fileupload.go +1 -1
@@ 103,7 103,7 @@ func (h *Handler) setCORS(resp http.ResponseWriter, req *http.Request) error {
		return fmt.Errorf("invalid Origin header field: %v", err)
	}

	if !strings.EqualFold(u.Host, req.Host) && !h.checkOrigin(reqOrigin) {
	if !strings.EqualFold(u.Host, req.Host) && !h.checkOrigin(u.Host) {
		return fmt.Errorf("unauthorized Origin")
	}