fix(cors): mirror Origin header when credentials are allowed (#679)#696
fix(cors): mirror Origin header when credentials are allowed (#679)#696jackthepunished wants to merge 1 commit into
Conversation
…#679) Browsers reject `Access-Control-Allow-Origin: *` combined with `Access-Control-Allow-Credentials: true`. The CORS middleware now echoes the request Origin (with `Vary: Origin`) when present and only sends the credentials header in that case; falls back to `*` without credentials when there is no Origin.
|
Warning Review limit reached
Your plan includes 1 review of capacity. Refill in 59 minutes and 11 seconds. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more review capacity refills, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the development CORS middleware to support credentialed requests by avoiding the invalid Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true combination.
Changes:
- Mirror the request
Originwhen present and enable credentials; otherwise fall back to wildcard origin. - Add explanatory comment documenting the browser constraint and the chosen behavior.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| origin := c.GetHeader("Origin") | ||
| if origin != "" { | ||
| c.Header("Access-Control-Allow-Origin", origin) | ||
| c.Header("Vary", "Origin") | ||
| c.Header("Access-Control-Allow-Credentials", "true") | ||
| } else { | ||
| c.Header("Access-Control-Allow-Origin", "*") | ||
| } |
| origin := c.GetHeader("Origin") | ||
| if origin != "" { | ||
| c.Header("Access-Control-Allow-Origin", origin) | ||
| c.Header("Vary", "Origin") |
| // CORS enables permissive CORS headers for development. | ||
| // | ||
| // Browsers reject responses that combine `Access-Control-Allow-Origin: *` | ||
| // with `Access-Control-Allow-Credentials: true`. When the request supplies | ||
| // an `Origin` header we mirror it back (with `Vary: Origin`) and allow | ||
| // credentials; otherwise we fall back to the wildcard with no credentials. | ||
| func CORS() gin.HandlerFunc { |
Browsers reject responses that combine wildcard Origin with credentials. The CORS middleware now echoes the request Origin (with Vary header) when present and only sends credentials in that case; falls back to wildcard without credentials when there is no Origin (Fixes #679).