search

gin-contrib / cors

Official CORS gin's middleware
https://gin-gonic.github.io/gin/
MIT License
1.79k stars 186 forks source link

Using allow all origins with credentials. #31

Closed bweston92 closed 6 years ago

bweston92 commented 6 years ago

Take the following configuration.

func cors() gin.HandlerFunc {
    return ginCors.New(ginCors.Config{
        AllowAllOrigins:  true,
        AllowMethods:     []string{"GET", "PUT", "PATCH", "POST", "DELETE"}, // Allow all the methods above.
        AllowHeaders:     []string{"Origin", "Authorization", "Content-Type", "Accept", "Content-Length"},
        ExposeHeaders:    []string{"Content-Length"},
        AllowCredentials: true,
        MaxAge:           12 * time.Hour,
    })
}

When given a regular cross site request it works fine, however when you're using with credentials I get the following.

Failed to load http://{testing}/iam/check: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:8080' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

By looking at the code if AllowAllOrigins is enabled it will just always output * as the allow origin header.

I've done this in a different repository by sending everything up to the path from the referrer for example http://localhost:8080.

scniro commented 5 years ago

@bweston92 Did you solve this? Could you please share what worked for you? Thanks