cors: not checking for origin header

Signed-off-by: Vishal Rana <vr@labstack.com>
2025-10-30 23:57:38 +02:00 · 2016-11-12 14:05:41 -08:00
parent 6ead4be761
commit d832efd403
3 changed files with 4 additions and 31 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ website/public
 vendor

 .DS_Store
+_test
--- a/middleware/cors.go
+++ b/middleware/cors.go
@@ -75,6 +75,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 	if len(config.AllowMethods) == 0 {
 		config.AllowMethods = DefaultCORSConfig.AllowMethods
 	}
+	allowedOrigins := strings.Join(config.AllowOrigins, ",")
 	allowMethods := strings.Join(config.AllowMethods, ",")
 	allowHeaders := strings.Join(config.AllowHeaders, ",")
 	exposeHeaders := strings.Join(config.ExposeHeaders, ",")
@@ -88,25 +89,11 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {

 			req := c.Request()
 			res := c.Response()
-			origin := req.Header.Get(echo.HeaderOrigin)
-			_, originSet := req.Header[echo.HeaderOrigin]
-
-			// Check allowed origins
-			allowedOrigin := ""
-			for _, o := range config.AllowOrigins {
-				if o == "*" || o == origin {
-					allowedOrigin = o
-					break
-				}
-			}

 			// Simple request
 			if req.Method != echo.OPTIONS {
 				res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)
-				if !originSet || allowedOrigin == "" {
-					return next(c)
-				}
-				res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigin)
+				res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigins)
 				if config.AllowCredentials {
 					res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")
 				}
@@ -120,10 +107,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 			res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)
 			res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestMethod)
 			res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestHeaders)
-			if !originSet || allowedOrigin == "" {
-				return next(c)
-			}
-			res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigin)
+			res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigins)
 			res.Header().Set(echo.HeaderAccessControlAllowMethods, allowMethods)
 			if config.AllowCredentials {
 				res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")
--- a/middleware/cors_test.go
+++ b/middleware/cors_test.go
@@ -21,18 +21,6 @@ func TestCORS(t *testing.T) {
 		return c.String(http.StatusOK, "test")
 	})

-	// No origin header
-	h(c)
-	assert.Equal(t, "", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
-
-	// Empty origin header
-	req, _ = http.NewRequest(echo.GET, "/", nil)
-	rec = httptest.NewRecorder()
-	c = e.NewContext(req, rec)
-	req.Header.Set(echo.HeaderOrigin, "")
-	h(c)
-	assert.Equal(t, "*", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
-
 	// Wildcard origin
 	req, _ = http.NewRequest(echo.GET, "/", nil)
 	rec = httptest.NewRecorder()