Wildcard support for AllowedHeaders or add AllowedHeadersFunc

Question

Wildcard support for AllowedHeaders or add AllowedHeadersFunc

kilgaloon opened this issue 7 months ago · 3 comments

I don't see a support that we can specify something like X-Header-*. I think this can be useful for some use cases. Maybe it would be good to add support for the wildcard or provide the func similar to the AllowOriginFunc.

Answer 1 · 2024-06-26T17:31:08.000Z

This seems like an odd use case to me...

How many such request-header names do you typically need to allow in your CORS configuration?
Would allowing all request headers (via AllowedHeaders: "*") not be an acceptable alternative?

Another consideration: security. What if an adversary spoofs a preflight request that contains the following header?

Access-Control-Request-Headers: X-Header-followed_by_a_very_looooooooooooong_character_sequence

Allowing all header names of the form X-Header-* would force the CORS middleware to scan the entire header value, which could be as long as 1 << 20 bytes (and a bit). Such spoofed preflight requests could have a detrimental impact on middleware performance. In this connection, see #170.

Answer 2 · 2024-08-28T14:27:32.000Z

@kilgaloon Any further comment? Can we close this issue?

Answer 3 · 2024-08-31T10:02:29.000Z

@rs Without feedback from the OP, and in light of a recent comment of yours, I'm inclined to reject this suggestion.