Open jankaszel opened 6 years ago
also router.Use(cors.Default()) seems not to work... maybe this is related?
@adrianliechti same for me.
config := cors.DefaultConfig()
config.AllowOrigins = []string{"*"}
router.Use(cors.New(config))
this example works ^
thanks a super lot @andriisoldatenko for this handy hint
I get this from using the wildcard:
bad origin: origins must include http:// or https://
Hello! I tried working with the most-recent
master
state of this project. Although the*
wildcard forAccess-Control-Allow-Origin
(introduced last year, https://github.com/gin-contrib/cors/commit/f894742c196d528a81bd99556ba819bd06d71a4e) should allow for all origins, it does not:validateOrigin
certainly does not check whether an asterisk is present (just a shallow equality check), although it is explicitly stated otherwise in the documentation:If the special "*" value is present in the list, all origins will be allowed.
I could imagine fixing this by either adding a separate case into
validateOrigin
, checking for an asterisk value, or settingAllowAllOrigins
to true if an asterisk is contained inAllowOrigins
.Besides that, I have two points, the former in relation to this issue:
AllowAllOrigins
quite ambiguous, being just an edge case for specifying an asterisk wildcard. It does not reflect the CORS specification, and using an asterisk is much more verbose instead of using both attributes for specifying origins.Origin
headers on the server side; it's rather the browsers who adhere to the CORS specification and validate requests. I would imagine a CORS middleware to simply add the respective CORS headers and possibly enable preflight requests, as the CORS middleware for Express does. I found the403 Forbidden
responses super confusing when having invalidOrigin
values. Maybe we could make server-side validation optional, or explicitly state that this module performs validation?