You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have noticed two issues that CORS middleware has:
It sends empty Access-Control-Allow-Origin header if
Origin header in the request is missing or
Origin header is not allowed
It sends CORS headers (Access-Control-*) even if there is no Origin header in the request or provided Origin is not allowed. To my understanding if a request is supposed to use CORS it should have an Origin header. I tested this behaviour with PlayFramework and Gin, they are not sending CORS related headers in this case.
Checklist
Dependencies installed
No typos
Searched existing issues and docs
Expected behaviour
CORS middleware should not send empty header Access-Control-Allow-Origin:.
CORS middleware should only provide Access-Control-* headers when Origin header is provided.
Actual behaviour
Described in Issue Description section.
Steps to reproduce
After running the code provided below (in "Working code to debug" part) it can be reproduced with the following curl commands:
Empty Access-Control-Allow-Origin when Origin is not allowed:
Issue Description
I have noticed two issues that CORS middleware has:
Access-Control-Allow-Origin
header ifOrigin
header in the request is missing orOrigin
header is not allowedAccess-Control-*
) even if there is noOrigin
header in the request or providedOrigin
is not allowed. To my understanding if a request is supposed to use CORS it should have anOrigin
header. I tested this behaviour with PlayFramework and Gin, they are not sending CORS related headers in this case.Checklist
Expected behaviour
Access-Control-Allow-Origin:
.Access-Control-*
headers whenOrigin
header is provided.Actual behaviour
Described in Issue Description section.
Steps to reproduce
After running the code provided below (in "Working code to debug" part) it can be reproduced with the following curl commands:
Empty Access-Control-Allow-Origin when Origin is not allowed:
curl -X OPTIONS -H "Origin: http://bar.com" -I http://localhost:1323/ HTTP/1.1 204 No Content Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE Access-Control-Allow-Origin: Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Date: Fri, 06 Nov 2020 01:11:30 GMT
Empty Access-Control-Allow-Origin when Origin is not provided:
Access-Control-* headers when Origin is not provided:
NOTE: For this first change middleware line to
e.Use(middleware.CORS())
(by default AllowOrigin is*
)curl -X OPTIONS -I http://localhost:1323/ HTTP/1.1 204 No Content Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE Access-Control-Allow-Origin: * Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Date: Fri, 06 Nov 2020 01:21:06 GMT
Working code to debug
Version/commit
v4.1.17
The text was updated successfully, but these errors were encountered: