From d12399db6b3dd3be62daa3aef23d9e730ec382a9 Mon Sep 17 00:00:00 2001
From: NoF0rte <nof0rte@users.noreply.github.com>
Date: Mon, 7 Nov 2022 14:28:06 -0700
Subject: [PATCH 1/2] Added a very simple CORS implementation

---
 internal/runner/options.go   | 42 +++++++++++++++++++-----------------
 internal/runner/runner.go    |  1 +
 pkg/httpserver/corslayer.go  | 30 ++++++++++++++++++++++++++
 pkg/httpserver/httpserver.go |  5 +++++
 4 files changed, 58 insertions(+), 20 deletions(-)
 create mode 100644 pkg/httpserver/corslayer.go

diff --git a/internal/runner/options.go b/internal/runner/options.go
index 5086d8a..9089a37 100644
--- a/internal/runner/options.go
+++ b/internal/runner/options.go
@@ -12,27 +12,28 @@ import (
 
 // Options of the tool
 type Options struct {
-	ListenAddress  string
-	Folder         string
-	BasicAuth      string
-	username       string
-	password       string
-	Realm          string
-	TLSCertificate string
-	TLSKey         string
-	TLSDomain      string
-	HTTPS          bool
-	Verbose        bool
-	EnableUpload   bool
-	EnableTCP      bool
-	RulesFile      string
-	TCPWithTLS     bool
-	Version        bool
-	Silent         bool
-	Sandbox        bool
-	MaxFileSize    int
-	HTTP1Only      bool
+	ListenAddress   string
+	Folder          string
+	BasicAuth       string
+	username        string
+	password        string
+	Realm           string
+	TLSCertificate  string
+	TLSKey          string
+	TLSDomain       string
+	HTTPS           bool
+	Verbose         bool
+	EnableUpload    bool
+	EnableTCP       bool
+	RulesFile       string
+	TCPWithTLS      bool
+	Version         bool
+	Silent          bool
+	Sandbox         bool
+	MaxFileSize     int
+	HTTP1Only       bool
 	MaxDumpBodySize int
+	CORS            bool
 }
 
 // ParseOptions parses the command line options for application
@@ -61,6 +62,7 @@ func ParseOptions() *Options {
 	flag.BoolVar(&options.HTTP1Only, "http1", false, "Enable only HTTP1")
 	flag.IntVar(&options.MaxFileSize, "max-file-size", 50, "Max Upload File Size")
 	flag.IntVar(&options.MaxDumpBodySize, "max-dump-body-size", -1, "Max Dump Body Size")
+	flag.BoolVar(&options.CORS, "cors", false, "Enable Cross-Origin Resource Sharing (CORS)")
 	flag.Parse()
 
 	// Read the inputs and configure the logging
diff --git a/internal/runner/runner.go b/internal/runner/runner.go
index 59c28e3..a3c2887 100644
--- a/internal/runner/runner.go
+++ b/internal/runner/runner.go
@@ -68,6 +68,7 @@ func New(options *Options) (*Runner, error) {
 		MaxFileSize:       r.options.MaxFileSize,
 		HTTP1Only:         r.options.HTTP1Only,
 		MaxDumpBodySize:   unit.ToMb(r.options.MaxDumpBodySize),
+		CORS:              r.options.CORS,
 	})
 	if err != nil {
 		return nil, err
diff --git a/pkg/httpserver/corslayer.go b/pkg/httpserver/corslayer.go
new file mode 100644
index 0000000..da2be5b
--- /dev/null
+++ b/pkg/httpserver/corslayer.go
@@ -0,0 +1,30 @@
+package httpserver
+
+import (
+	"net/http"
+	"strings"
+)
+
+func (t *HTTPServer) corslayer(handler http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodOptions {
+			handler.ServeHTTP(w, r)
+			return
+		}
+
+		headers := w.Header()
+
+		headers.Add("Vary", "Origin")
+		headers.Add("Vary", "Access-Control-Request-Method")
+		headers.Add("Vary", "Access-Control-Request-Headers")
+
+		headers.Set("Access-Control-Allow-Origin", "*")
+
+		reqMethod := r.Header.Get("Access-Control-Request-Method")
+		if reqMethod != "" {
+			headers.Set("Access-Control-Allow-Methods", strings.ToUpper(reqMethod))
+		}
+
+		w.WriteHeader(http.StatusOK)
+	})
+}
diff --git a/pkg/httpserver/httpserver.go b/pkg/httpserver/httpserver.go
index 94c050e..b5ba83c 100644
--- a/pkg/httpserver/httpserver.go
+++ b/pkg/httpserver/httpserver.go
@@ -27,6 +27,7 @@ type Options struct {
 	HTTP1Only         bool
 	MaxFileSize       int // 50Mb
 	MaxDumpBodySize   int64
+	CORS              bool
 }
 
 // HTTPServer instance
@@ -71,6 +72,10 @@ func New(options *Options) (*HTTPServer, error) {
 		addHandler(h.basicauthlayer)
 	}
 
+	if options.CORS {
+		addHandler(h.corslayer)
+	}
+
 	httpHandler = h.loglayer(httpHandler)
 
 	// add handler

From 3a7bc37ce3589810d90fa3348a509760bdab5d14 Mon Sep 17 00:00:00 2001
From: shubhamrasal <shubhamdharmarasal@gmail.com>
Date: Wed, 15 Mar 2023 14:13:46 +0530
Subject: [PATCH 2/2] Update header add location

---
 pkg/httpserver/corslayer.go | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/pkg/httpserver/corslayer.go b/pkg/httpserver/corslayer.go
index da2be5b..70549d0 100644
--- a/pkg/httpserver/corslayer.go
+++ b/pkg/httpserver/corslayer.go
@@ -7,19 +7,17 @@ import (
 
 func (t *HTTPServer) corslayer(handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		headers := w.Header()
+		headers.Set("Access-Control-Allow-Origin", "*")
 		if r.Method != http.MethodOptions {
 			handler.ServeHTTP(w, r)
 			return
 		}
 
-		headers := w.Header()
-
 		headers.Add("Vary", "Origin")
 		headers.Add("Vary", "Access-Control-Request-Method")
 		headers.Add("Vary", "Access-Control-Request-Headers")
 
-		headers.Set("Access-Control-Allow-Origin", "*")
-
 		reqMethod := r.Header.Get("Access-Control-Request-Method")
 		if reqMethod != "" {
 			headers.Set("Access-Control-Allow-Methods", strings.ToUpper(reqMethod))