fixed #712

Signed-off-by: Vishal Rana <vr@labstack.com>

middleware/cors.go

@@ -15,7 +15,8 @@ type (
 		Skipper Skipper
 
 		// AllowOrigin defines a list of origins that may access the resource.
-		// Optional. Default value []string{"*"}.
+		// Optional. If request header `Origin` is set, value is []string{"<Origin>"}
+		// else []string{"*"}.
 		AllowOrigins []string `json:"allow_origins"`
 
 		// AllowMethods defines a list methods allowed when accessing the resource.
@@ -51,7 +52,6 @@ var (
 	// DefaultCORSConfig is the default CORS middleware config.
 	DefaultCORSConfig = CORSConfig{
 		Skipper:      defaultSkipper,
-		AllowOrigins: []string{"*"},
 		AllowMethods: []string{echo.GET, echo.HEAD, echo.PUT, echo.PATCH, echo.POST, echo.DELETE},
 	}
 )
@@ -69,12 +69,10 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 	if config.Skipper == nil {
 		config.Skipper = DefaultCORSConfig.Skipper
 	}
-	if len(config.AllowOrigins) == 0 {
-		config.AllowOrigins = DefaultCORSConfig.AllowOrigins
-	}
 	if len(config.AllowMethods) == 0 {
 		config.AllowMethods = DefaultCORSConfig.AllowMethods
 	}
+
 	allowedOrigins := strings.Join(config.AllowOrigins, ",")
 	allowMethods := strings.Join(config.AllowMethods, ",")
 	allowHeaders := strings.Join(config.AllowHeaders, ",")
@@ -89,6 +87,17 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 
 			req := c.Request()
 			res := c.Response()
+			origin := req.Header.Get(echo.HeaderOrigin)
+
+			if allowedOrigins == "" {
+				if origin != "" {
+					allowedOrigins = origin
+				} else {
+					if !config.AllowCredentials {
+						allowedOrigins = "*"
+					}
+				}
+			}
 
 			// Simple request
 			if req.Method != echo.OPTIONS {

middleware/cors_test.go

@@ -11,21 +11,21 @@ import (
 
 func TestCORS(t *testing.T) {
 	e := echo.New()
+
+	// Origin origin
 	req, _ := http.NewRequest(echo.GET, "/", nil)
 	rec := httptest.NewRecorder()
 	c := e.NewContext(req, rec)
-	cors := CORSWithConfig(CORSConfig{
-		AllowCredentials: true,
-	})
-	h := cors(func(c echo.Context) error {
-		return c.String(http.StatusOK, "test")
-	})
+	h := CORS()(echo.NotFoundHandler)
+	req.Header.Set(echo.HeaderOrigin, "localhost")
+	h(c)
+	assert.Equal(t, "localhost", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
 
 	// Wildcard origin
 	req, _ = http.NewRequest(echo.GET, "/", nil)
 	rec = httptest.NewRecorder()
 	c = e.NewContext(req, rec)
-	req.Header.Set(echo.HeaderOrigin, "localhost")
+	h = CORS()(echo.NotFoundHandler)
 	h(c)
 	assert.Equal(t, "*", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
 
@@ -34,14 +34,7 @@ func TestCORS(t *testing.T) {
 	rec = httptest.NewRecorder()
 	c = e.NewContext(req, rec)
 	req.Header.Set(echo.HeaderOrigin, "localhost")
-	cors = CORSWithConfig(CORSConfig{
-		AllowOrigins:     []string{"localhost"},
-		AllowCredentials: true,
-		MaxAge:           3600,
-	})
-	h = cors(func(c echo.Context) error {
-		return c.String(http.StatusOK, "test")
-	})
+	h = CORS()(echo.NotFoundHandler)
 	h(c)
 	assert.Equal(t, "localhost", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
 
@@ -51,6 +44,12 @@ func TestCORS(t *testing.T) {
 	c = e.NewContext(req, rec)
 	req.Header.Set(echo.HeaderOrigin, "localhost")
 	req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+	cors := CORSWithConfig(CORSConfig{
+		AllowOrigins:     []string{"localhost"},
+		AllowCredentials: true,
+		MaxAge:           3600,
+	})
+	h = cors(echo.NotFoundHandler)
 	h(c)
 	assert.Equal(t, "localhost", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
 	assert.NotEmpty(t, rec.Header().Get(echo.HeaderAccessControlAllowMethods))

website/content/middleware/cors.md

@@ -37,7 +37,8 @@ CORSConfig struct {
     Skipper Skipper
 
     // AllowOrigin defines a list of origins that may access the resource.
-  // Optional. Default value []string{"*"}.
+    // Optional. If request header `Origin` is set, value is []string{"<Origin>"}
+    // else []string{"*"}.
     AllowOrigins []string `json:"allow_origins"`
 
     // AllowMethods defines a list methods allowed when accessing the resource.