cors icon indicating copy to clipboard operation
cors copied to clipboard
verified publisher icon gin-contrib

Cors error

Open juancer opened this issue 1 year ago • 2 comments

Hello,

I'm having problems with CORS on my backend with the PUT request. This is my conf:

r := gin.Default()
	config := cors.DefaultConfig()
	config.AllowOrigins = []string{"https://domain1.es", "https://www.domain1.es", "https://domain2.es", "https://www.domain2.es", "http://ip", "https://ip"}
	config.AllowCredentials = true
	config.AllowMethods = []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}
	config.AllowHeaders = []string{"Origin", "Content-Length", "Content-Type", "Authorization", "user-agent", "X-Requested-With", "Token"}
	config.MaxAge = 12 * time.Hour
	config.AllowOriginFunc = func(origin string) bool {
		return origin == "https://domain1.es, https://domain2.es, https://www.domain1.es, https://www.domain2.es, http://ip, https://ip"
	}
	r.Use(cors.New(config))

I'm also trying to manage my option request and checking the headers to print them on my console:

r.OPTIONS("/service", func(c *gin.Context) {
		c.Header("Access-Control-Allow-Origin", "https://domain1.es, https://domain2.es, https://www.domain1.es, https://www.domain2.es, http://ip, https://ip")
		c.Header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
		c.Header("Access-Control-Allow-Headers", "Authorization, Content-Type, Origin, Content-Length, user-agent, X-Requested-With, Token")
		c.Header("AllowCredentials", "true")
		fmt.Println("Headers from the request:")

		origin := c.Request.Header.Get("Origin")
		if !isValidOrigin(origin, config.AllowOrigins) {
			c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid CORS origin"})
			return
		}
		c.JSON(http.StatusNoContent, nil)
	})

However, when I try to call with the put, I'm getting 403 error on my browser and this message: "CORS missing allow origin" with the PUT request, and, in my console, I only get: [GIN] 2024/02/05 - 14:23:17 | 204 | 63.98µs | ip | OPTIONS "/service" (this is the reason because I'm adding the ip in the allow origins)

I have: GET /service PUT /service DELETE /service OPTIONS /service -> to manage this preflight request

Here is a playground with the full example

Could someone help me to clarify my situation?

Thanks,

juancer avatar Feb 05 '24 13:02 juancer

What's the origin your request is coming from? Most likely, the origin doesn't match and the cors middleware is aborting.

dbhoot avatar Feb 23 '24 07:02 dbhoot

The callback assigned to AllowOriginFunc is incorrect because

https://domain1.es, https://domain2.es, https://www.domain1.es, https://www.domain2.es, http://ip, https://ip

is not a valid Web-origin value. And because that field, when set, takes precedence over AllowOrigins, the resulting CORS middleware is dysfunctional. cors.New could alert you to such misconfigurations by returning an error result, but it sadly doesn't. To fix your issue, just get rid of AllowOriginFunc in your Config struct.

jub0bs avatar Feb 27 '24 12:02 jub0bs