The Fetch standard states that methods are, in general, case-sensitive. For instance, PATCH is distinct from patch.
However, Gin's CORS middleware currently uppercases the allowed methods before writing the result in the Access-Control-Allow-Methods. Therefore, Gin's CORS middleware prevents its users from allowing methods that are not already uppercase.
jub0bs
commented
8 months ago
The Fetch standard states that methods are, in general, case-sensitive. For instance,
PATCHis distinct frompatch.However, Gin's CORS middleware currently uppercases the allowed methods before writing the result in the
Access-Control-Allow-Methods. Therefore, Gin's CORS middleware prevents its users from allowing methods that are not already uppercase.Accordingly, two currently passing test cases,
TestGeneratePreflightHeaders_AllowMethodsandTestPassesAllowOrigins, should actually fail, because their assertions onw.Header().Get("Access-Control-Allow-Methods")are incorrect.FWIW, this undue case-normalisation can be deplored in other CORS middleware libraries and it tends to trip users up. Gin should fixed this.