AllowedOrigins doesn't block unlisted origins

Question

AllowedOrigins doesn't block unlisted origins

Nightsee opened this issue a year ago · 2 comments

I am trying to block all requests comming from other than the specified origin, but the requests still pass.
my code looks like this:

router := httprouter.New() ... c := cors.New(cors.Options{ AllowedOrigins: []string{"http://localhost:3020"}, }) handler := c.Handler(router)

i tried to use AllowOriginFunc and print the origin i get nothing.
i am testing the api from localhost:3030 and it's working. why is that and how can i implement what i want ? thanks

Answer 1 · 2024-02-17T10:57:03.000Z

@Nightsee I think your issue stems from a misunderstanding of CORS's purpose. Contrary to popular belief, CORS (Cross-Origin Resource Sharing) is not a defence; its purpose is not to block requests, but to relax the reading (and, in some cases, sending) restrictions that the Same-Origin Policy enforces by default in browsers. See also #129.

Answer 2 · 2024-02-17T14:29:18.000Z

@Nightsee If you're happy, don't hesitate to close the issue yourself.