Comments (11)
@jub0bs That i'm say,i set origin:https://www.myhome.com, expect only this url can access my server(https://www.myserver.com/), but i found i misunderstand .than i find this description in what is origin
I realize it can be null or fabricate,such as i use curl https://www.myserver.com
(Not a server with [my server] deployed), and i was expecting it to not be able to access, but it can because it doesn't have an origin set.
Then i use curl -H "origin: https://www.myhome.com" https://www.myserver.com
, it work too!,because i set fake origin
So it's not the code that's the problem, it's my misunderstand.
I guess I should have verified the ip of the visitor.That's what I need.
Thanks for you help
from cors.
@jub0bs Yean,bro!I think i finally understand CORS can do something and not can do something.Thinks for you patience,have a nice day!
from cors.
When you use AllowOriginFunc
, AllowOrigins
is ignored. So you should remove AllowOrigins
and put the foo.com check inside of AllowOriginFunc, eg:
AllowOriginFunc: func(origin string) bool {
if origin == "http://www.foo.com" {
return true
}
if origin == "https://github.com" {
return true
}
return false
}
I noticed that foo.com, if you are actually testing there, is not secure, so make sure it's http not https.
Secondly, github.com has a content security policy that prevents CORs requests, so it may not be a simple matter to query your server from the dev console, for example.
from cors.
AllowOriginFunc: func(origin string) bool { if origin == "http://www.foo.com" { return true } if origin == "https://github.com" { return true } return false }
i have tried this, but doesn't work either.
from cors.
@douno23 The screenshot you shared shows a request that does not include any Origin
header; therefore, it's not a CORS request.
from cors.
i have the same problem
from cors.
@go-english What problem? If the request doesn't contain any Origin
header, it doesn't participate in the CORS protocol and you cannot expect it to contain CORS response headers (though it could, in some implementations).
from cors.
@jub0bs HI,bro.thanks for your reply.
this is my code,assume it's expose url:https://www.myserver.com
var Router = gin.Default()
Router.Use(middleware.NewCors())
func NewCors() gin.HandlerFunc
return cors.New(cors.Config{
AllowOrigins: []string{"https://www.myhome.com"},
AllowMethods: []string{"POST", "GET", "OPTIONS"},
AllowHeaders: []string{"Content-Type", "x-token"},
ExposeHeaders: []string{"Content-Length", "Access-Control-Allow-Origin", "Access-Control-Allow-Headers", "Content-Type"},
AllowCredentials: true,
MaxAge: 7 * time.Hour * 24,
AllowAllOrigins: false,
})
}
}
i have the issue,if i set origins:"https://www.myhome.com"
why other address can access it? (example on my personal PC,it definite not "https://www.myhome.com" ,i use curl https://www.myserver.com
, It should return me a 403 forbidden but not instead of customizing response)
if any hint i appreciate!
from cors.
@jub0bs HI,bro.thanks for your reply. this is my code,assume it's expose url:https://www.myserver.com
var Router = gin.Default() Router.Use(middleware.NewCors()) func NewCors() gin.HandlerFunc return cors.New(cors.Config{ AllowOrigins: []string{"https://www.myhome.com"}, AllowMethods: []string{"POST", "GET", "OPTIONS"}, AllowHeaders: []string{"Content-Type", "x-token"}, ExposeHeaders: []string{"Content-Length", "Access-Control-Allow-Origin", "Access-Control-Allow-Headers", "Content-Type"}, AllowCredentials: true, MaxAge: 7 * time.Hour * 24, AllowAllOrigins: false, }) } }i have the issue,if i set origins:"https://www.myhome.com" why other address can access it? (example on my personal PC,it definite not "https://www.myhome.com" ,i use
curl https://www.myserver.com
, It should return me a 403 forbidden but not instead of customizing response) if any hint i appreciate!
i think i find problem,in cors.config.go
line 68
func (cors *cors) applyCors(c *gin.Context) {
origin := c.Request.Header.Get("Origin")
if len(origin) == 0 {
// request is not a CORS request
return
}
host := c.Request.Host
if origin == "http://"+host || origin == "https://"+host {
// request is not a CORS request but have origin header.
// for example, use fetch api
return
}
if !cors.validateOrigin(origin) {
c.AbortWithStatus(http.StatusForbidden)
return
}
if c.Request.Method == "OPTIONS" {
cors.handlePreflight(c)
defer c.AbortWithStatus(cors.optionsResponseStatusCode)
} else {
cors.handleNormal(c)
}
if !cors.allowAllOrigins {
c.Header("Access-Control-Allow-Origin", origin)
}
}`
allow all access,if don't set header origin.
i don't known,why?Shouldn't it be disabled by default?
from cors.
@go-english I'm not sure I understand the issue. Can you post one or more curl
commands that trigger the behaviour you observe and also explain what behaviour you expect?
from cors.
@go-english I think you misunderstand the purpose of CORS. Contrary to popular belief, CORS is no substitute for server-side authorisation. Rather, CORS is a protocol that lets servers instruct browsers to relax the Same-Origin Policy's restrictions for select clients. All other things being equal, activating CORS makes your users less (not more) secure.
Besides, not all user agents implement the SOP or CORS. You shouldn't be surprised that you're able to spoof the Origin
header using something like curl
.
from cors.
Related Issues (20)
- Snyk vulnerability HTTP Response Splitting on older version of github.com/gin-gonic/gin HOT 3
- Shouldn't Be Returning * When Allow-Credentials and Allow-All-Origins are Set to True
- React & React Native Issue
- update README file
- Allow All Headers
- No way to disable caching of CORS-preflight responses
- Users currently cannot allow methods that are not uppercase HOT 1
- Repo documentatoin website (github pages URL) is broken - 404 error HOT 1
- Allow All Origin header not added in the response HOT 8
- Weird Access-Control-Allow-Headers CORS Bug HOT 1
- Register tauri:// scheme (or allow custom schemes upstream?)
- Cors error HOT 2
- error in parseWildcardRules when asterisk at the end HOT 2
- Timing-Allow-Origin support
- CORS not working, even with `cors.Default()` HOT 1
- Feature Proposal: Config.MatchPaths HOT 1
- repeated response headers in cors setup of gin proxy server and a gin server HOT 2
- [Notice] Preflight with no origin will return OPTIONS 404 HOT 1
- CORS error with added header HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cors.