Handler: Actual request If no Origin present allows the call to complete without validating the origin.

go-chi / cors

CORS net/http middleware for Go

MIT License

334 stars 32 forks source link

Handler: Actual request If no Origin present allows the call to complete without validating the origin. #10

Closed ahamansh closed 4 years ago

ahamansh commented 5 years ago

Scenario: Added AllowOriginFunc: to validate custom domain.

If curl with -H "Origin: somthing" :::: This call is allowed and the origin validator func is called but not honored.

Call to validate the origin is present in handleActualRequest(); however when a curl request is sent with origin in header it simply allows the call to complete. Should it stop when AllowOriginFunc returns false ???

ahamansh commented 5 years ago

Also for the service chaining if we want to validate the origin.

pkieltyka commented 4 years ago

Correct, "false" would not set appropriate headers to allow the CORS request to succeed.