it doesn't work about cors HOT 11 OPEN

@jub0bs That i'm say,i set origin:https://www.myhome.com, expect only this url can access my server(https://www.myserver.com/), but i found i misunderstand .than i find this description in what is origin
I realize it can be null or fabricate,such as i use curl https://www.myserver.com(Not a server with [my server] deployed), and i was expecting it to not be able to access, but it can because it doesn't have an origin set.
Then i use curl -H "origin: https://www.myhome.com" https://www.myserver.com, it work too!,because i set fake origin
So it's not the code that's the problem, it's my misunderstand.
I guess I should have verified the ip of the visitor.That's what I need.
Thanks for you help

from cors.

@jub0bs Yean,bro!I think i finally understand CORS can do something and not can do something.Thinks for you patience,have a nice day!

from cors.

When you use AllowOriginFunc, AllowOrigins is ignored. So you should remove AllowOrigins and put the foo.com check inside of AllowOriginFunc, eg:

AllowOriginFunc: func(origin string) bool {
			if origin == "http://www.foo.com" {
				return true
			}
			if origin == "https://github.com" {
				return true
			}
			return false
		}

I noticed that foo.com, if you are actually testing there, is not secure, so make sure it's http not https.

Secondly, github.com has a content security policy that prevents CORs requests, so it may not be a simple matter to query your server from the dev console, for example.

from cors.

AllowOriginFunc: func(origin string) bool {
			if origin == "http://www.foo.com" {
				return true
			}
			if origin == "https://github.com" {
				return true
			}
			return false
		}

i have tried this, but doesn't work either.

from cors.

@douno23 The screenshot you shared shows a request that does not include any Origin header; therefore, it's not a CORS request.

from cors.

i have the same problem

from cors.

@go-english What problem? If the request doesn't contain any Origin header, it doesn't participate in the CORS protocol and you cannot expect it to contain CORS response headers (though it could, in some implementations).

from cors.

@jub0bs HI,bro.thanks for your reply.
this is my code,assume it's expose url:https://www.myserver.com

var Router = gin.Default()
Router.Use(middleware.NewCors())         
func NewCors() gin.HandlerFunc 
	return cors.New(cors.Config{
		AllowOrigins:     []string{"https://www.myhome.com"},
		AllowMethods:     []string{"POST", "GET", "OPTIONS"},
		AllowHeaders:     []string{"Content-Type", "x-token"},
		ExposeHeaders:    []string{"Content-Length", "Access-Control-Allow-Origin", "Access-Control-Allow-Headers", "Content-Type"},
		AllowCredentials: true,
		MaxAge:           7 * time.Hour * 24,
		AllowAllOrigins: false,
	})
}
}

i have the issue,if i set origins:"https://www.myhome.com"
why other address can access it? (example on my personal PC,it definite not "https://www.myhome.com" ,i use curl https://www.myserver.com, It should return me a 403 forbidden but not instead of customizing response)
if any hint i appreciate!

from cors.

@jub0bs HI,bro.thanks for your reply. this is my code,assume it's expose url:https://www.myserver.com

var Router = gin.Default()
Router.Use(middleware.NewCors())         
func NewCors() gin.HandlerFunc 
	return cors.New(cors.Config{
		AllowOrigins:     []string{"https://www.myhome.com"},
		AllowMethods:     []string{"POST", "GET", "OPTIONS"},
		AllowHeaders:     []string{"Content-Type", "x-token"},
		ExposeHeaders:    []string{"Content-Length", "Access-Control-Allow-Origin", "Access-Control-Allow-Headers", "Content-Type"},
		AllowCredentials: true,
		MaxAge:           7 * time.Hour * 24,
		AllowAllOrigins: false,
	})
}
}

i have the issue,if i set origins:"https://www.myhome.com" why other address can access it? (example on my personal PC,it definite not "https://www.myhome.com" ,i use curl https://www.myserver.com, It should return me a 403 forbidden but not instead of customizing response) if any hint i appreciate!

i think i find problem,in cors.config.go
line 68

func (cors *cors) applyCors(c *gin.Context) {
	origin := c.Request.Header.Get("Origin")
	if len(origin) == 0 {
		// request is not a CORS request
		return
	}
	host := c.Request.Host

	if origin == "http://"+host || origin == "https://"+host {
		// request is not a CORS request but have origin header.
		// for example, use fetch api
		return
	}

	if !cors.validateOrigin(origin) {
		c.AbortWithStatus(http.StatusForbidden)
		return
	}

	if c.Request.Method == "OPTIONS" {
		cors.handlePreflight(c)
		defer c.AbortWithStatus(cors.optionsResponseStatusCode)
	} else {
		cors.handleNormal(c)
	}

	if !cors.allowAllOrigins {
		c.Header("Access-Control-Allow-Origin", origin)
	}
}`
allow all access,if don't set header origin.
i don't known,why?Shouldn't it be disabled by default?

from cors.

@go-english I'm not sure I understand the issue. Can you post one or more curl commands that trigger the behaviour you observe and also explain what behaviour you expect?

from cors.

@go-english I think you misunderstand the purpose of CORS. Contrary to popular belief, CORS is no substitute for server-side authorisation. Rather, CORS is a protocol that lets servers instruct browsers to relax the Same-Origin Policy's restrictions for select clients. All other things being equal, activating CORS makes your users less (not more) secure.

Besides, not all user agents implement the SOP or CORS. You shouldn't be surprised that you're able to spoof the Origin header using something like curl.

from cors.