jjkoh95
commented
1 year ago Can I take a look at this? Thanks
Open Meppo opened 1 year ago
jjkoh95
commented
1 year ago Can I take a look at this? Thanks
zcong1993
commented
1 year ago IMO it is dangerous to set back the request origin as default behaviour of allow all domains, and other frameworks don't do it either.
When withCredentials is set to true, it is trying to send credentials or cookies along with the request. As that means another origin is potentially trying to do authenticated requests, the wildcard ("*") is not permitted as the "Access-Control-Allow-Origin" header.
https://stackoverflow.com/questions/42803394/cors-credentials-mode-is-include
mahfoos
commented
1 year ago Hi, Can i take look in this Thanks
majjikishore007
commented
1 year ago Hi is this issue still open
yanzhuiyun
commented
1 year ago Please assign the issue to me and I will try to solve it
saleroa
commented
5 months ago it looks intertsting , please assign me !
Issues-translate-bot
commented
5 months ago Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
it looks intertsting , please assign me !
potatocheng
commented
2 months ago Hello, I want to try to optimize this problem but now I have some questions I want to confirm with you. Should we directly replace the part in the code that sets Access-Control-Allow-Origin to * with Access-Control-Allow-Origin as the original Origin, or should we use Optional mode to set a flag that the user can only enable after setting the flag. Change Access-Control-Allow-Origin to the original Origin. (Note:This is my first time participating in an open source project. If there are any communication problems, please let me know.)
// we directly replace the part in the code that sets Access-Control-Allow-Origin to * with Access-Control-Allow-Origin as the original Origin
// after modification
func checkAndSetHeaders(w http.ResponseWriter, r *http.Request, origins []string) {
setVaryHeaders(w, r)
origin := r.Header.Get(originHeader)
if len(origins) == 0 {
setHeader(w, origin)
return
}
if isOriginAllowed(origins, origin) {
setHeader(w, origin)
}
}
akulabs8
commented
4 weeks ago is the issue still open?
Meppo
commented
4 weeks ago Hello, I want to try to optimize this problem but now I have some questions I want to confirm with you. Should we directly replace the part in the code that sets Access-Control-Allow-Origin to * with Access-Control-Allow-Origin as the original Origin, or should we use Optional mode to set a flag that the user can only enable after setting the flag. Change Access-Control-Allow-Origin to the original Origin. (Note:This is my first time participating in an open source project. If there are any communication problems, please let me know.)
// we directly replace the part in the code that sets Access-Control-Allow-Origin to * with Access-Control-Allow-Origin as the original Origin // after modification func checkAndSetHeaders(w http.ResponseWriter, r *http.Request, origins []string) { setVaryHeaders(w, r) origin := r.Header.Get(originHeader) if len(origins) == 0 { setHeader(w, origin) return } if isOriginAllowed(origins, origin) { setHeader(w, origin) } }
should set "use Optional mode to set a flag that the user can only enable after setting the flag" , it's better don't modify the code in used
go-zero v1.5.1
rest.withCors 返回的 Access-Control-Allow-Origin:* 现在浏览器都不认这个了
rest.WithCustomCors() 也只能用来固定返回哪几个Origin
建议直接支持 设置 Access-Control-Allow-Origin: 原请求中的Origin