From 4c78b7122b58a5067b689dbcb4863fb0536e42c7 Mon Sep 17 00:00:00 2001 From: Vishal Rana Date: Sat, 12 Nov 2016 14:29:11 -0800 Subject: [PATCH] cors: not checking for origin header Signed-off-by: Vishal Rana --- middleware/cors.go | 22 +++------------------- middleware/cors_test.go | 12 ------------ 2 files changed, 3 insertions(+), 31 deletions(-) diff --git a/middleware/cors.go b/middleware/cors.go index 69300c4f..3182a5b9 100644 --- a/middleware/cors.go +++ b/middleware/cors.go @@ -75,6 +75,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc { if len(config.AllowMethods) == 0 { config.AllowMethods = DefaultCORSConfig.AllowMethods } + allowOrigins := strings.Join(config.AllowOrigins, ",") allowMethods := strings.Join(config.AllowMethods, ",") allowHeaders := strings.Join(config.AllowHeaders, ",") exposeHeaders := strings.Join(config.ExposeHeaders, ",") @@ -88,25 +89,11 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc { req := c.Request() res := c.Response() - origin := req.Header().Get(echo.HeaderOrigin) - originSet := req.Header().Contains(echo.HeaderOrigin) // Issue #517 - - // Check allowed origins - allowedOrigin := "" - for _, o := range config.AllowOrigins { - if o == "*" || o == origin { - allowedOrigin = o - break - } - } // Simple request if req.Method() != echo.OPTIONS { res.Header().Add(echo.HeaderVary, echo.HeaderOrigin) - if !originSet || allowedOrigin == "" { - return next(c) - } - res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigin) + res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowOrigins) if config.AllowCredentials { res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true") } @@ -120,10 +107,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc { res.Header().Add(echo.HeaderVary, echo.HeaderOrigin) res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestMethod) res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestHeaders) - if !originSet || allowedOrigin == "" { - return next(c) - } - res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigin) + res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowOrigins) res.Header().Set(echo.HeaderAccessControlAllowMethods, allowMethods) if config.AllowCredentials { res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true") diff --git a/middleware/cors_test.go b/middleware/cors_test.go index 846c4b34..0ab9e349 100644 --- a/middleware/cors_test.go +++ b/middleware/cors_test.go @@ -21,18 +21,6 @@ func TestCORS(t *testing.T) { return c.String(http.StatusOK, "test") }) - // No origin header - h(c) - assert.Equal(t, "", rec.Header().Get(echo.HeaderAccessControlAllowOrigin)) - - // Empty origin header - req = test.NewRequest(echo.GET, "/", nil) - rec = test.NewResponseRecorder() - c = e.NewContext(req, rec) - req.Header().Set(echo.HeaderOrigin, "") - h(c) - assert.Equal(t, "*", rec.Header().Get(echo.HeaderAccessControlAllowOrigin)) - // Wildcard origin req = test.NewRequest(echo.GET, "/", nil) rec = test.NewResponseRecorder()