cors not adding multiple Access-Control-Allow-Origin entries

Question

cors not adding multiple Access-Control-Allow-Origin entries

udf2457 opened this issue 9 months ago · 2 comments

I am loading cors with the following:

corsAllowedHeaders := "Hx-Current-Url,Hx-Request"
corsAllowedOrgins := "https://one.example.com,https://two.example.com"
cors.New(cors.Options{
		AllowedHeaders: strings.Split(corsAllowedHeaders, ","),
		AllowedOrigins: strings.Split(corsAllowedOrgins, ","),
		AllowedMethods: []string{"GET", "POST", "HEAD", "OPTIONS"},
		Debug:          true,
	})

But the debug output only shows the first URL being added:

Actual response added headers: map[Access-Control-Allow-Origin:[https://one.example.com] Vary:[Origin]]

Am I doing something wrong, or is this a bug ?

Answer 1 · 2024-04-28T07:30:52.000Z

The middleware is working as expected in that respect: according to the Fetch standard, a response to a CORS request should indeed contain at most one Access-Control-Allow-Origin header.

If more than one such header is present in a response, browsers joins their values with the character sequence , ; browsers would essentially interpret

Access-Control-Allow-Origin: https://one.example.com
Access-Control-Allow-Origin: https://two.example.com

as

Access-Control-Allow-Origin: https://one.example.com, https://two.example.com

If that happens, the CORS check is bound to fail, because no valid origin value can contain , ; here is just one example.

Answer 2 · 2024-05-05T07:35:46.000Z

@udf2457 Has my last comment answer your question? Can we close this issue?