-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS optimization #3311
Comments
Can I take a look at this? |
IMO it is dangerous to set back the request origin as default behaviour of allow all domains, and other frameworks don't do it either. When withCredentials is set to true, it is trying to send credentials or cookies along with the request. As that means another origin is potentially trying to do authenticated requests, the wildcard ("*") is not permitted as the "Access-Control-Allow-Origin" header. https://stackoverflow.com/questions/42803394/cors-credentials-mode-is-include |
Hi, |
Hi is this issue still open |
Please assign the issue to me and I will try to solve it |
it looks intertsting , please assign me ! |
it looks intertsting , please assign me ! |
Hello, I want to try to optimize this problem but now I have some questions I want to confirm with you. Should we directly replace the part in the code that sets Access-Control-Allow-Origin to * with Access-Control-Allow-Origin as the original Origin, or should we use Optional mode to set a flag that the user can only enable after setting the flag. Change Access-Control-Allow-Origin to the original Origin. (Note:This is my first time participating in an open source project. If there are any communication problems, please let me know.) // we directly replace the part in the code that sets Access-Control-Allow-Origin to * with Access-Control-Allow-Origin as the original Origin
// after modification
func checkAndSetHeaders(w http.ResponseWriter, r *http.Request, origins []string) {
setVaryHeaders(w, r)
origin := r.Header.Get(originHeader)
if len(origins) == 0 {
setHeader(w, origin)
return
}
if isOriginAllowed(origins, origin) {
setHeader(w, origin)
}
} |
is the issue still open? |
should set "use Optional mode to set a flag that the user can only enable after setting the flag" , it's better don't modify the code in used |
go-zero v1.5.1
rest.withCors 返回的 Access-Control-Allow-Origin:* 现在浏览器都不认这个了
rest.WithCustomCors() 也只能用来固定返回哪几个Origin
建议直接支持 设置 Access-Control-Allow-Origin: 原请求中的Origin
The text was updated successfully, but these errors were encountered: