From b2af5382ea3723779406988b0bb374aed27906a1 Mon Sep 17 00:00:00 2001
From: Martin Geno <geno+dev@fireorbit.de>
Date: Tue, 17 May 2016 10:54:57 +0200
Subject: [PATCH] api access controll

---
 api/lib.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/api/lib.go b/api/lib.go
index d6057d6..c922d2f 100644
--- a/api/lib.go
+++ b/api/lib.go
@@ -18,17 +18,21 @@ func jsonOutput(w http.ResponseWriter,data interface{}){
 	}
 
 	w.Header().Set("Content-Type", "application/json")
-	w.Header().Set("Access-Control-Allow-Origin", "*")
+	if origin := r.Header.Get("Origin"); origin != "" {
+		w.Header().Set("Access-Control-Allow-Origin", origin)
+	}
 	w.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE")
 	w.Header().Set("Access-Control-Allow-Headers","Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization")
 	w.Write(js)
 }
 func BasicAuth(h httprouter.Handle, pass []byte) httprouter.Handle {
 		return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
-			w.Header().Set("Access-Control-Allow-Origin", "*")
+			if origin := r.Header.Get("Origin"); origin != "" {
+					w.Header().Set("Access-Control-Allow-Origin", origin)
+			}
 			w.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE")
 			w.Header().Set("Access-Control-Allow-Headers","Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization")
-			
+
 			const basicAuthPrefix string = "Basic "
 
 			// Get the Basic Authentication credentials