Martti T.

> If I understood correctly, the restriction here is that users cannot use - in a parameter name like :user-name. Is that correct? No, using only `-` is too restricting....

This is the use-case for middleware.CORSConfig.Skipper to skip these routes. Registering OPTIONS routes and expecting them to work with CORS middleware is a edge case for skipper. p.s. middleware could...

well, there could be other middlewares that render the response after CORS middleware so there is not even guarantee that original handler, that was registered, would be executed. So this...

Sorry, I meant CORS everywhere here where I mentioned CSRF. I'll edit these comment to use correct term, which I actually meant.

Reasons why I do not think that deciding to run CORS middleware should have feature describe in this issue: In no particular order: * Adding check into CORS middleware to...

I after good night sleep I took another look into this thing. Basically we are talking at the moment of this block https://github.com/labstack/echo/blob/98a523756d875bc13475bcb6237f09e771cbe321/middleware/cors.go#L202-L207 Lets not delve into `preflight` variable which...

I am being cautious here - dealing with widely used and old code base is mostly choosing if change can be at all done. We are trying to have stable...

one thing here is that OPTIONS request are most of the time unauthenticated when application is using cookies as cookies are not send by browser for preflight requests. The impact...

this is somewhat of a "feature" because of this block https://github.com/labstack/echo/blob/a2e7085094bda23a674c887f0e93f4a15245c439/group.go#L21-L32

@escb005, yep, it does not seems to work properly. I'll take a look into it. It is probably time to investigate how to remove these 2 hidden routes that are...