Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AllowOriginFunc is set, but the content of AllowedOrigins is not ignored #80

Closed
macbesu opened this issue Jun 5, 2019 · 1 comment · Fixed by #163
Closed

AllowOriginFunc is set, but the content of AllowedOrigins is not ignored #80

macbesu opened this issue Jun 5, 2019 · 1 comment · Fixed by #163

Comments

@macbesu
Copy link

macbesu commented Jun 5, 2019
edited
Loading

The last sentence of the following description in the README does not seem to be strict (when AllowCredentials:true is set).

AllowOriginFunc func (origin string) bool: A custom function to validate the origin. It takes the origin as an argument and returns true if allowed, or false otherwise. If this option is set, the content of AllowedOrigins is ignored.

I wrote the following code:

r := gin.Default()

r.Use(cors.New(cors.Options{
  AllowedOrigins: []string{"*"}, // I also wrote other origins
  AllowCredentials: true,
  AllowOriginFunc: func(origin string) bool { // I thought this function can cover AllowedOrigins
    return true
  },
}))

When I made a request to the server, my browser console reported a cross-domain error:

image

If I comment out AllowedOrigins: []string{"*"}, there will be no problem.
@macbesu macbesu closed this as completed Jun 5, 2019
@macbesu macbesu changed the title AllowOriginFunc is set, but the content of AllowedOrigins is not ignored AllowOriginFunc is set, but the content of AllowedOrigins is not ignored when AllowCredentials also exists Jun 5, 2019
@macbesu macbesu changed the title AllowOriginFunc is set, but the content of AllowedOrigins is not ignored when AllowCredentials also exists AllowOriginFunc is set, but the content of AllowedOrigins is not ignored Jun 5, 2019
@macbesu macbesu reopened this Jun 5, 2019
@jub0bs
Copy link
Contributor

jub0bs commented Aug 27, 2023
edited
Loading

This is indeed reproducible in v1.9.0. Contrary to what the doc claims,

If [AllowOriginFunc] is set, the content of AllowedOrigins is ignored.

AllowOriginFunc doesn't take precedence over AllowedOrigins. To see this, add the following test case in TestSpec:

{
  "AllowedOriginsPlusAllowOriginFunc",
  Options{
    AllowedOrigins: []string{"*"},
    AllowOriginFunc: func(origin string) bool {
      return true
    },
  },
  "GET",
  map[string]string{
    "Origin": "http://foobar.com",
  },
  map[string]string{
    "Vary":                        "Origin",
    "Access-Control-Allow-Origin": "http://foobar.com",
  },
  true,
},

It fails:

--- FAIL: TestSpec (0.00s)
    --- FAIL: TestSpec/AllowedOriginsPlusAllowOriginFunc (0.00s)
        --- FAIL: TestSpec/AllowedOriginsPlusAllowOriginFunc/Handler (0.00s)
          cors_test.go:33: Response header "Access-Control-Allow-Origin" = "", want "http://foobar.com"
        --- FAIL: TestSpec/AllowedOriginsPlusAllowOriginFunc/HandlerFunc (0.00s)
            cors_test.go:33: Response header "Access-Control-Allow-Origin" = "", want "http://foobar.com"
        --- FAIL: TestSpec/AllowedOriginsPlusAllowOriginFunc/Negroni (0.00s)
            cors_test.go:33: Response header "Access-Control-Allow-Origin" = "", want "http://foobar.com"

@jub0bs jub0bs mentioned this issue Jan 9, 2024
Merged
@rs rs closed this as completed in #163 Jan 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Respect the documented precedence of options (fixes #80)
2 participants
@macbesu @jub0bs