search

go-chi / cors

CORS net/http middleware for Go
MIT License
332 stars 32 forks source link

Fix Access-Control-Allow-Origin with wildcard #13

Closed gonzaloserrano closed 4 years ago

gonzaloserrano commented 5 years ago

Hi,

I want to return the wildcard in the Access-Control-Allow-Origin response header and tried this quick fix.

Does it make sense to you?

Thanks

cdent commented 4 years ago

I came here looking for exactly this fix, from reading https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin and https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null

Any chance this might get merged?

cdent commented 4 years ago

Hmmm. I see what it's doing: sending as origin, the current origin. This isn't ideal for strange cache and proxy scenarios.

pkieltyka commented 4 years ago

Resolved in https://github.com/go-chi/cors/commit/b978ea830f7c8f371fd43358b5665e7047691207

gonzaloserrano commented 4 years ago

Thank you!