gin icon indicating copy to clipboard operation
gin copied to clipboard
verified publisher icon gin-gonic

Why does this code panic when trying to set AllowedOrigins?

Open jarrodhroberson opened this issue 8 months ago • 3 comments

Using the following code I get a panic

func CORS() gin.HandlerFunc {
	allowedOrigins := []string{"https://example.com", "https://www.example.com"}
	if v, ok := os.LookupEnv("ALLOW_LOCAL_HOST"); ok {
		allowedOrigins = append(allowedOrigins, v)
	}
	config := cors.Config{
		AllowOrigins:     allowedOrigins,
	}

	return cors.New(config)
}

I get this panic

ERROR 2025-03-24T02:41:34.271704Z panic: bad origin: origins must contain '*' or include http://,https://

but if I slightly change it to

	config := cors.Config{
		AllowOrigins: []string{"https://example.com", "https://www.example.com"},
	}

it works as expected?

Is this a bug?

If not What am I missing here?

jarrodhroberson avatar Mar 24 '25 02:03 jarrodhroberson

In your first code example, you are appending value to slice from env variable ALLOW_LOCAL_HOST.

if v, ok := os.LookupEnv("ALLOW_LOCAL_HOST"); ok {
	allowedOrigins = append(allowedOrigins, v)
}

It's likely that the value read from there is malformed url.

bound2 avatar Mar 28 '25 05:03 bound2

if it is missing something why not tell the user what caused the error?

panic: bad origin: <>BAD ORIGIN HERE>>; origins must contain '*' or include http://,https://) instead of the lazy "oh crap something happened" message it is spittng out.

Instead we get a MSDOS era "FILE NOT FOUND" error message.

On Fri, Mar 28, 2025 at 1:54 AM bound2 @.***> wrote:

In your first code example, you are appending value to slice from env variable ALLOW_LOCAL_HOST.

if v, ok := os.LookupEnv("ALLOW_LOCAL_HOST"); ok { allowedOrigins = append(allowedOrigins, v) }

It's likely that the value read from there is malformed url.

— Reply to this email directly, view it on GitHub https://github.com/gin-gonic/gin/issues/4195#issuecomment-2760270713, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABF77ZAWI5NARJAMJQKPTL2WTIXTAVCNFSM6AAAAABZTZEDXWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONRQGI3TANZRGM . You are receiving this because you authored the thread.Message ID: @.***> [image: bound2]bound2 left a comment (gin-gonic/gin#4195) https://github.com/gin-gonic/gin/issues/4195#issuecomment-2760270713

In your first code example, you are appending value to slice from env variable ALLOW_LOCAL_HOST.

if v, ok := os.LookupEnv("ALLOW_LOCAL_HOST"); ok { allowedOrigins = append(allowedOrigins, v) }

It's likely that the value read from there is malformed url.

— Reply to this email directly, view it on GitHub https://github.com/gin-gonic/gin/issues/4195#issuecomment-2760270713, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABF77ZAWI5NARJAMJQKPTL2WTIXTAVCNFSM6AAAAABZTZEDXWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONRQGI3TANZRGM . You are receiving this because you authored the thread.Message ID: @.***>

-- Jarrod Roberson 678.551.2852

jarrodhroberson avatar Mar 29 '25 19:03 jarrodhroberson

I've added a pull request to the cors contrib package: https://github.com/gin-contrib/cors/pull/167

kkoehler avatar Jun 24 '25 13:06 kkoehler