Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CORS optimization #3311

Open
Meppo opened this issue Jun 1, 2023 · 10 comments
Open

CORS optimization #3311

Meppo opened this issue Jun 1, 2023 · 10 comments
Labels
good first issue Good for newcomers

Comments

@Meppo
Copy link

Meppo commented Jun 1, 2023

go-zero v1.5.1

rest.withCors 返回的 Access-Control-Allow-Origin:* 现在浏览器都不认这个了
1db682ae010d19c5ab07ab6a6d01b10

rest.WithCustomCors() 也只能用来固定返回哪几个Origin

建议直接支持 设置 Access-Control-Allow-Origin: 原请求中的Origin

@kevwan kevwan changed the title CORS优化 CORS optimization Jun 1, 2023
@kevwan kevwan added the good first issue Good for newcomers label Jun 12, 2023
@jjkoh95
Copy link

jjkoh95 commented Jun 13, 2023

Can I take a look at this?
Thanks

@zcong1993
Copy link
Member

IMO it is dangerous to set back the request origin as default behaviour of allow all domains, and other frameworks don't do it either.

When withCredentials is set to true, it is trying to send credentials or cookies along with the request. As that means another origin is potentially trying to do authenticated requests, the wildcard ("*") is not permitted as the "Access-Control-Allow-Origin" header.

https://stackoverflow.com/questions/42803394/cors-credentials-mode-is-include

@mahfoos
Copy link

mahfoos commented Sep 12, 2023

Hi,
Can i take look in this
Thanks

@majjikishore007
Copy link

Hi is this issue still open

@yanzhuiyun
Copy link

Please assign the issue to me and I will try to solve it

@saleroa
Copy link

saleroa commented Jun 26, 2024

it looks intertsting , please assign me !

@Issues-translate-bot
Copy link

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿


it looks intertsting , please assign me !

@potatocheng
Copy link

Hello, I want to try to optimize this problem but now I have some questions I want to confirm with you. Should we directly replace the part in the code that sets Access-Control-Allow-Origin to * with Access-Control-Allow-Origin as the original Origin, or should we use Optional mode to set a flag that the user can only enable after setting the flag. Change Access-Control-Allow-Origin to the original Origin. (Note:This is my first time participating in an open source project. If there are any communication problems, please let me know.)

// we directly replace the part in the code that sets Access-Control-Allow-Origin to * with Access-Control-Allow-Origin as the original Origin
// after modification
func checkAndSetHeaders(w http.ResponseWriter, r *http.Request, origins []string) {
	setVaryHeaders(w, r)

	origin := r.Header.Get(originHeader)
	if len(origins) == 0 {
		setHeader(w, origin)
		return
	}
	
	if isOriginAllowed(origins, origin) {
		setHeader(w, origin)
	}
}

@akulabs8
Copy link

is the issue still open?

@Meppo
Copy link
Author

Meppo commented Nov 1, 2024

Hello, I want to try to optimize this problem but now I have some questions I want to confirm with you. Should we directly replace the part in the code that sets Access-Control-Allow-Origin to * with Access-Control-Allow-Origin as the original Origin, or should we use Optional mode to set a flag that the user can only enable after setting the flag. Change Access-Control-Allow-Origin to the original Origin. (Note:This is my first time participating in an open source project. If there are any communication problems, please let me know.)

// we directly replace the part in the code that sets Access-Control-Allow-Origin to * with Access-Control-Allow-Origin as the original Origin
// after modification
func checkAndSetHeaders(w http.ResponseWriter, r *http.Request, origins []string) {
	setVaryHeaders(w, r)

	origin := r.Header.Get(originHeader)
	if len(origins) == 0 {
		setHeader(w, origin)
		return
	}
	
	if isOriginAllowed(origins, origin) {
		setHeader(w, origin)
	}
}

should set "use Optional mode to set a flag that the user can only enable after setting the flag" , it's better don't modify the code in used

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers
Projects
None yet
Development

No branches or pull requests