Add AllowOriginFunc option support

README.md

@@ -71,6 +71,7 @@ handler = c.Handler(handler)
 ```
 
 * **AllowedOrigins** `[]string`: A list of origins a cross-domain request can be executed from. If the special `*` value is present in the list, all origins will be allowed. The default value is `*`.
+* **AllowOriginFunc** `func (origin string) bool`: A custom function to validate the origin. It take the origin as argument and returns true if allowed or false otherwise. If this option is set, the content of `AllowedOrigins` is ignored
 * **AllowedMethods** `[]string`: A list of methods the client is allowed to use with cross-domain requests.
 * **AllowedHeaders** `[]string`: A list of non simple headers the client is allowed to use with cross-domain requests. Default value is simple methods (`GET` and `POST`)
 * **ExposedHeaders** `[]string`: Indicates which headers are safe to expose to the API of a CORS API specification

cors.go

@@ -34,6 +34,10 @@ type Options struct {
 	// If the special "*" value is present in the list, all origins will be allowed.
 	// Default value is ["*"]
 	AllowedOrigins []string
+	// AllowOriginFunc is a custom function to validate the origin. It take the origin
+	// as argument and returns true if allowed or false otherwise. If this option is
+	// set, the content of AllowedOrigins is ignored.
+	AllowOriginFunc func(origin string) bool
 	// AllowedMethods is a list of methods the client is allowed to use with
 	// cross-domain requests. Default value is simple methods (GET and POST)
 	AllowedMethods []string
@@ -62,6 +66,8 @@ type Cors struct {
 	allowedOriginsAll bool
 	// Normalized list of allowed origins
 	allowedOrigins []string
+	// Optional origin validator function
+	allowOriginFunc func(origin string) bool
 	// Set to true when allowed headers contains a "*"
 	allowedHeadersAll bool
 	// Normalized list of allowed headers
@@ -78,6 +84,7 @@ type Cors struct {
 func New(options Options) *Cors {
 	c := &Cors{
 		exposedHeaders:   convert(options.ExposedHeaders, http.CanonicalHeaderKey),
+		allowOriginFunc:  options.AllowOriginFunc,
 		allowCredentials: options.AllowCredentials,
 		maxAge:           options.MaxAge,
 	}
@@ -281,6 +288,9 @@ func (c *Cors) logf(format string, a ...interface{}) {
 // isOriginAllowed checks if a given origin is allowed to perform cross-domain requests
 // on the endpoint
 func (c *Cors) isOriginAllowed(origin string) bool {
+	if c.allowOriginFunc != nil {
+		return c.allowOriginFunc(origin)
+	}
 	if c.allowedOriginsAll {
 		return true
 	}

cors_test.go

@@ -3,6 +3,7 @@ package cors
 import (
 	"net/http"
 	"net/http/httptest"
+	"regexp"
 	"testing"
 )
 
@@ -101,6 +102,32 @@ func TestDisallowedOrigin(t *testing.T) {
 	})
 }
 
+func TestAllowedOriginFunc(t *testing.T) {
+	r, _ := regexp.Compile("^http://foo")
+	s := New(Options{
+		AllowOriginFunc: func(o string) bool {
+			println(r.MatchString(o))
+			return r.MatchString(o)
+		},
+	})
+
+	req, _ := http.NewRequest("GET", "http://example.com/foo", nil)
+
+	res := httptest.NewRecorder()
+	req.Header.Set("Origin", "http://foobar.com")
+	s.Handler(testHandler).ServeHTTP(res, req)
+	assertHeaders(t, res.Header(), map[string]string{
+		"Access-Control-Allow-Origin": "http://foobar.com",
+	})
+
+	res = httptest.NewRecorder()
+	req.Header.Set("Origin", "http://barfoo.com")
+	s.Handler(testHandler).ServeHTTP(res, req)
+	assertHeaders(t, res.Header(), map[string]string{
+		"Access-Control-Allow-Origin": "",
+	})
+}
+
 func TestAllowedMethod(t *testing.T) {
 	s := New(Options{
 		AllowedOrigins: []string{"http://foobar.com"},