cors: not checking for origin header

vishr · vishr · commit d832efd403fc · 2016-11-12T14:05:41.000-08:00
Signed-off-by: Vishal Rana &lt;vr@labstack.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -5,3 +5,4 @@ website/public
 vendor
 
 .DS_Store
+_test
diff --git a/middleware/cors.go b/middleware/cors.go
@@ -75,6 +75,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 	if len(config.AllowMethods) == 0 {
 		config.AllowMethods = DefaultCORSConfig.AllowMethods
 	}
+	allowedOrigins := strings.Join(config.AllowOrigins, ",")
 	allowMethods := strings.Join(config.AllowMethods, ",")
 	allowHeaders := strings.Join(config.AllowHeaders, ",")
 	exposeHeaders := strings.Join(config.ExposeHeaders, ",")
@@ -88,25 +89,11 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 
 			req := c.Request()
 			res := c.Response()
-			origin := req.Header.Get(echo.HeaderOrigin)
-			_, originSet := req.Header[echo.HeaderOrigin]
-
-			// Check allowed origins
-			allowedOrigin := ""
-			for _, o := range config.AllowOrigins {
-				if o == "*" || o == origin {
-					allowedOrigin = o
-					break
-				}
-			}
 
 			// Simple request
 			if req.Method != echo.OPTIONS {
 				res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)
-				if !originSet || allowedOrigin == "" {
-					return next(c)
-				}
-				res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigin)
+				res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigins)
 				if config.AllowCredentials {
 					res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")
 				}
@@ -120,10 +107,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 			res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)
 			res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestMethod)
 			res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestHeaders)
-			if !originSet || allowedOrigin == "" {
-				return next(c)
-			}
-			res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigin)
+			res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigins)
 			res.Header().Set(echo.HeaderAccessControlAllowMethods, allowMethods)
 			if config.AllowCredentials {
 				res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")
diff --git a/middleware/cors_test.go b/middleware/cors_test.go
@@ -21,18 +21,6 @@ func TestCORS(t *testing.T) {
 		return c.String(http.StatusOK, "test")
 	})
 
-	// No origin header
-	h(c)
-	assert.Equal(t, "", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
-
-	// Empty origin header
-	req, _ = http.NewRequest(echo.GET, "/", nil)
-	rec = httptest.NewRecorder()
-	c = e.NewContext(req, rec)
-	req.Header.Set(echo.HeaderOrigin, "")
-	h(c)
-	assert.Equal(t, "*", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
-
 	// Wildcard origin
 	req, _ = http.NewRequest(echo.GET, "/", nil)
 	rec = httptest.NewRecorder()

Original file line number	Diff line number	Diff line change
`@@ -5,3 +5,4 @@ website/public`
`5`	`5`	`vendor`
`6`	`6`
`7`	`7`	`.DS_Store`
	`8`	`+_test`