Handle CORS requests (#6289)

routers/api/v1/api.go

@@ -74,7 +74,8 @@ import (
 	"code.gitea.io/gitea/routers/api/v1/user"
 
 	"github.com/go-macaron/binding"
-	"gopkg.in/macaron.v1"
+	"github.com/go-macaron/cors"
+	macaron "gopkg.in/macaron.v1"
 )
 
 func sudo() macaron.Handler {
@@ -500,6 +501,12 @@ func RegisterRoutes(m *macaron.Macaron) {
 		m.Get("/swagger", misc.Swagger) //Render V1 by default
 	}
 
+	var handlers []macaron.Handler
+	if setting.EnableCORS {
+		handlers = append(handlers, cors.CORS(setting.CORSConfig))
+	}
+	handlers = append(handlers, securityHeaders(), context.APIContexter(), sudo())
+
 	m.Group("/v1", func() {
 		// Miscellaneous
 		if setting.API.EnableSwagger {
@@ -841,5 +848,15 @@ func RegisterRoutes(m *macaron.Macaron) {
 		m.Group("/topics", func() {
 			m.Get("/search", repo.TopicSearch)
 		})
-	}, context.APIContexter(), sudo())
+	}, handlers...)
+}
+
+func securityHeaders() macaron.Handler {
+	return func(ctx *macaron.Context) {
+		ctx.Resp.Before(func(w macaron.ResponseWriter) {
+			// CORB: https://www.chromium.org/Home/chromium-security/corb-for-developers
+			// http://stackoverflow.com/a/3146618/244009
+			w.Header().Set("x-content-type-options", "nosniff")
+		})
+	}
 }