fix(route): force CORS header for content route with correct header parameters (close #3192)

middleware/common.go

@@ -16,6 +16,7 @@ import (
 	"github.com/cloudreve/Cloudreve/v4/pkg/request"
 	"github.com/cloudreve/Cloudreve/v4/pkg/serializer"
 	"github.com/cloudreve/Cloudreve/v4/pkg/util"
+	"github.com/gin-contrib/cors"
 	"github.com/gin-gonic/gin"
 	"github.com/gofrs/uuid"
 )
@@ -157,3 +158,13 @@ func Logging() gin.HandlerFunc {
 			c.Errors.ByType(gin.ErrorTypePrivate).String(), start)
 	}
 }
+
+func ContentCORS() gin.HandlerFunc {
+	return cors.New(cors.Config{
+		AllowOrigins:     []string{"*"},
+		AllowMethods:     []string{"GET", "HEAD", "OPTIONS"},
+		AllowHeaders:     []string{"Range", "If-Range", "Authorization", "Content-Type"},
+		ExposeHeaders:    []string{"Content-Range", "Accept-Ranges", "Content-Length", "Content-Disposition", "Content-Disposition", "ETag"},
+		AllowCredentials: false,
+	})
+}

routers/router.go

@@ -243,7 +243,9 @@ func initMasterRouter(dep dependency.Dep) *gin.Engine {
 	{
 		// Redirect file source link
 		source := r.Group("f")
+		source.Use(middleware.ContentCORS())
 		{
+			source.OPTIONS("*option", middleware.ContentCORS())
 			source.GET(":id/:name",
 				middleware.HashID(hashid.SourceLinkID),
 				controllers.AnonymousPermLink(false))
@@ -632,12 +634,9 @@ func initMasterRouter(dep dependency.Dep) *gin.Engine {
 				controllers.PutContent)
 			// Get entity content for preview/download
 			content := file.Group("content")
-			contentCors := cors.New(cors.Config{
+			content.Use(middleware.ContentCORS())
-				AllowOrigins: []string{"*"},
-			})
-			content.Use(contentCors)
 			{
-				content.OPTIONS("*option", contentCors)
+				content.OPTIONS("*option", middleware.ContentCORS())
 				content.GET(":id/:speed/:name",
 					middleware.SignRequired(dep.GeneralAuth()),
 					middleware.HashID(hashid.EntityID),