Skip to content

Commit

Permalink
Remove Origin always added to allowed header
Browse files Browse the repository at this point in the history
Fixes #151
  • Loading branch information
rs committed Sep 5, 2023
1 parent 080e86e commit 5288ed0
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 23 deletions.
7 changes: 3 additions & 4 deletions cors.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ type Options struct {
// AllowedHeaders is list of non simple headers the client is allowed to use with
// cross-domain requests.
// If the special "*" value is present in the list, all headers will be allowed.
// Default value is [] but "Origin" is always appended to the list.
// Default value is [].
AllowedHeaders []string
// ExposedHeaders indicates which headers are safe to expose to the API of a CORS
// API specification
Expand Down Expand Up @@ -187,10 +187,9 @@ func New(options Options) *Cors {
// Allowed Headers
if len(options.AllowedHeaders) == 0 {
// Use sensible defaults
c.allowedHeaders = []string{"Origin", "Accept", "Content-Type", "X-Requested-With"}
c.allowedHeaders = []string{"Accept", "Content-Type", "X-Requested-With"}
} else {
// Origin is always appended as some browsers will always request for this header at preflight
c.allowedHeaders = convert(append(options.AllowedHeaders, "Origin"), http.CanonicalHeaderKey)
c.allowedHeaders = convert(options.AllowedHeaders, http.CanonicalHeaderKey)
for _, h := range options.AllowedHeaders {
if h == "*" {
c.allowedHeadersAll = true
Expand Down
19 changes: 0 additions & 19 deletions cors_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -376,25 +376,6 @@ func TestSpec(t *testing.T) {
},
true,
},
{
"OriginHeader",
Options{
AllowedOrigins: []string{"http://foobar.com"},
},
"OPTIONS",
map[string]string{
"Origin": "http://foobar.com",
"Access-Control-Request-Method": "GET",
"Access-Control-Request-Headers": "origin",
},
map[string]string{
"Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers",
"Access-Control-Allow-Origin": "http://foobar.com",
"Access-Control-Allow-Methods": "GET",
"Access-Control-Allow-Headers": "Origin",
},
true,
},
{
"ExposedHeader",
Options{
Expand Down

0 comments on commit 5288ed0

Please sign in to comment.