From 864332f2e57391de924327193de16cf65ccc073d Mon Sep 17 00:00:00 2001
From: Aaron Liu <abslant.liu@gmail.com>
Date: Fri, 23 Jan 2026 15:23:09 +0800
Subject: [PATCH] fix(route): force CORS header for content route with correct
 header parameters (close #3192)

---
 middleware/common.go | 11 +++++++++++
 routers/router.go    |  9 ++++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/middleware/common.go b/middleware/common.go
index 3c501ed5..19163ed2 100644
--- a/middleware/common.go
+++ b/middleware/common.go
@@ -16,6 +16,7 @@ import (
 	"github.com/cloudreve/Cloudreve/v4/pkg/request"
 	"github.com/cloudreve/Cloudreve/v4/pkg/serializer"
 	"github.com/cloudreve/Cloudreve/v4/pkg/util"
+	"github.com/gin-contrib/cors"
 	"github.com/gin-gonic/gin"
 	"github.com/gofrs/uuid"
 )
@@ -157,3 +158,13 @@ func Logging() gin.HandlerFunc {
 			c.Errors.ByType(gin.ErrorTypePrivate).String(), start)
 	}
 }
+
+func ContentCORS() gin.HandlerFunc {
+	return cors.New(cors.Config{
+		AllowOrigins:     []string{"*"},
+		AllowMethods:     []string{"GET", "HEAD", "OPTIONS"},
+		AllowHeaders:     []string{"Range", "If-Range", "Authorization", "Content-Type"},
+		ExposeHeaders:    []string{"Content-Range", "Accept-Ranges", "Content-Length", "Content-Disposition", "Content-Disposition", "ETag"},
+		AllowCredentials: false,
+	})
+}
diff --git a/routers/router.go b/routers/router.go
index cb138520..54e4bd00 100644
--- a/routers/router.go
+++ b/routers/router.go
@@ -243,7 +243,9 @@ func initMasterRouter(dep dependency.Dep) *gin.Engine {
 	{
 		// Redirect file source link
 		source := r.Group("f")
+		source.Use(middleware.ContentCORS())
 		{
+			source.OPTIONS("*option", middleware.ContentCORS())
 			source.GET(":id/:name",
 				middleware.HashID(hashid.SourceLinkID),
 				controllers.AnonymousPermLink(false))
@@ -632,12 +634,9 @@ func initMasterRouter(dep dependency.Dep) *gin.Engine {
 				controllers.PutContent)
 			// Get entity content for preview/download
 			content := file.Group("content")
-			contentCors := cors.New(cors.Config{
-				AllowOrigins: []string{"*"},
-			})
-			content.Use(contentCors)
+			content.Use(middleware.ContentCORS())
 			{
-				content.OPTIONS("*option", contentCors)
+				content.OPTIONS("*option", middleware.ContentCORS())
 				content.GET(":id/:speed/:name",
 					middleware.SignRequired(dep.GeneralAuth()),
 					middleware.HashID(hashid.EntityID),