[PR #319] [MERGED] Add CORS Support #514

New issue

Closed

opened 2026-03-03 12:30:23 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 12:30:23 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/fsouza/fake-gcs-server/pull/319
Author: @kenniaa
Created: 8/30/2020
Status: ✅ Merged
Merged: 9/12/2020
Merged by: @fsouza

Base: main ← Head: add-cors

📝 Commits (5)

8cfcdf1 Add CORS support
8502c4e Customize allowed headers
ccae498 Update tests
87783da Simplify if block
b6b0b30 Default allowCORSHeaders to nil

📊 Changes

4 files changed (+146 additions, -33 deletions)

View changed files

📝 fakestorage/server.go (+25 -2)
📝 fakestorage/server_test.go (+75 -0)
📝 internal/config/config.go (+27 -15)
📝 internal/config/config_test.go (+19 -16)

📄 Description

A big reason for supporting signed urls is the ability to initiate requests from the browser that insert files into the bucket instead of proxying files through your server.

Currently, this does not work in fake-gcs-server due to CORS limitations, as fake-gcs-server does not respond to any CORS preflight requests. From the browser, you may disable CORS checking (via no-cors on fetch or equivalent), but this severely limits what kind of requests you can make; with CORS checking disabled, you are unable to initiate a PUT request thereby preventing the above usecase.

So to address this, I've added a simple CORS handler. It is intended to be maximally accepting, such that most requests will be accepted without configuration. Since this project is meant for testing GCS and not running in production, I did not see much of a reason for locking it down and instead opted for ease of use.

The one exception to this is Access-Control-Allowed-Headers, because unfortunately Mux will not support wildcards for headers. This means that I instead had to audit what headers fake-gcs-server accepts and manually specify them in the allowlist-- I believe I have covered them all but I could be missing something (CORS requests never worked here, so I don't consider that a dealbreaker). Additionally, I've added a new command line flag for the end user to specify any additional headers they need to be present in the allowlist. I found this useful for the custom meta headers that you may attach to signed urls.

I've added tests which should cover the necessary changes to config and server function, but please let me know if I should add any others!

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fsouza/fake-gcs-server/pull/319 **Author:** [@kenniaa](https://github.com/kenniaa) **Created:** 8/30/2020 **Status:** ✅ Merged **Merged:** 9/12/2020 **Merged by:** [@fsouza](https://github.com/fsouza) **Base:** `main` ← **Head:** `add-cors` --- ### 📝 Commits (5) - [`8cfcdf1`](https://github.com/fsouza/fake-gcs-server/commit/8cfcdf18de01ef842e2b6aac23b9e52868610232) Add CORS support - [`8502c4e`](https://github.com/fsouza/fake-gcs-server/commit/8502c4ea3320d126efe234d6d7cae4ea1613a206) Customize allowed headers - [`ccae498`](https://github.com/fsouza/fake-gcs-server/commit/ccae4983397e0a74115a389d7293dae4c093e3ea) Update tests - [`87783da`](https://github.com/fsouza/fake-gcs-server/commit/87783da7a69ffcc60dececcfaab5bd0f2e33d7b6) Simplify if block - [`b6b0b30`](https://github.com/fsouza/fake-gcs-server/commit/b6b0b30d0a145ad61e69fe345b4badbb679099fe) Default allowCORSHeaders to nil ### 📊 Changes **4 files changed** (+146 additions, -33 deletions) <details> <summary>View changed files</summary> 📝 `fakestorage/server.go` (+25 -2) 📝 `fakestorage/server_test.go` (+75 -0) 📝 `internal/config/config.go` (+27 -15) 📝 `internal/config/config_test.go` (+19 -16) </details> ### 📄 Description A big reason for supporting signed urls is the ability to initiate requests from the browser that insert files into the bucket instead of proxying files through your server. Currently, this does not work in `fake-gcs-server` due to CORS limitations, as `fake-gcs-server` does not respond to any CORS preflight requests. From the browser, you may disable CORS checking (via `no-cors` on `fetch` or equivalent), but this [severely limits][no-cors-limits] what kind of requests you can make; with CORS checking disabled, you are unable to initiate a PUT request thereby preventing the above usecase. So to address this, I've added a simple CORS handler. It is intended to be maximally accepting, such that most requests will be accepted without configuration. Since this project is meant for testing GCS and not running in production, I did not see much of a reason for locking it down and instead opted for ease of use. The one exception to this is `Access-Control-Allowed-Headers`, because unfortunately Mux [will not support][header-wildcard-issue] wildcards for headers. This means that I instead had to audit what headers `fake-gcs-server` accepts and manually specify them in the allowlist-- I believe I have covered them all but I could be missing something (CORS requests never worked here, so I don't consider that a dealbreaker). Additionally, I've added a new command line flag for the end user to specify any additional headers they need to be present in the allowlist. I found this useful for the custom meta headers that you may attach to signed urls. I've added tests which should cover the necessary changes to config and server function, but please let me know if I should add any others! [no-cors-limits]: https://developer.mozilla.org/en-US/docs/Web/API/Request/mode [header-wildcard-issue]: https://github.com/gorilla/handlers/pull/180 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>