Asterisk wildcard does not work

[jankaszel]

Hello! I tried working with the most-recent master state of this project. Although the * wildcard for Access-Control-Allow-Origin (introduced last year, https://github.com/gin-contrib/cors/commit/f894742c196d528a81bd99556ba819bd06d71a4e) should allow for all origins, it does not: validateOrigin certainly does not check whether an asterisk is present (just a shallow equality check), although it is explicitly stated otherwise in the documentation:

If the special "*" value is present in the list, all origins will be allowed.

I could imagine fixing this by either adding a separate case into validateOrigin, checking for an asterisk value, or setting AllowAllOrigins to true if an asterisk is contained in AllowOrigins.

Besides that, I have two points, the former in relation to this issue:

• I find AllowAllOrigins quite ambiguous, being just an edge case for specifying an asterisk wildcard. It does not reflect the CORS specification, and using an asterisk is much more verbose instead of using both attributes for specifying origins.
• CORS does not imply validating Origin headers on the server side; it's rather the browsers who adhere to the CORS specification and validate requests. I would imagine a CORS middleware to simply add the respective CORS headers and possibly enable preflight requests, as the CORS middleware for Express does. I found the 403 Forbidden responses super confusing when having invalid Origin values. Maybe we could make server-side validation optional, or explicitly state that this module performs validation?

[adrianliechti]

also router.Use(cors.Default()) seems not to work... maybe this is related?

[andriisoldatenko]

@adrianliechti same for me.

config := cors.DefaultConfig()
config.AllowOrigins = []string{"*"}
router.Use(cors.New(config))

this example works ^

[adrianliechti]

thanks a super lot @andriisoldatenko for this handy hint

[carlows]

I get this from using the wildcard:

bad origin: origins must include http:// or https://