jub0bs

icon indicating a website link https://jub0bs.com

Results 181 comments of jub0bs

[cors]: allow users to disable preflight caching

@jaitaiwan See https://github.com/gorilla/handlers/pull/250, which also aims to fix https://github.com/gorilla/handlers/issues/246 but in a slightly different way. Additional resources on the topic: - https://jub0bs.com/posts/2023-02-08-fearless-cors/#impossibility-to-turn-preflight-caching-off - https://pkg.go.dev/github.com/jub0bs/cors#hdr-MaxAgeInSeconds

[BUG] CORS middleware sets `Vary: Origin` header only in some cases

Recommended reading about [why CORS libraries should not support custom callbacks](https://jub0bs.com/posts/2023-02-08-fearless-cors/#do-not-support-custom-callbacks) like `AllowedOriginValidator`.

CORS: allow users to disable preflight caching

The downside of using `*int` is that you're introducing an unnecessary level of indirection. Since the struct fields are unexported, you can afford to introduce a `bool` field indicating whether...

CORS: allow users to disable preflight caching

No worries. We're all learning, I as well. > using pointer properties offers offers clarity about the ability to leave a value empty or unset Under the assumption that `*int`...

CORS: allow users to disable preflight caching

@KarolosLykos > The isn't entirely accurate, as most users tend to inspect the underlying code of a function they wish to use. Users who _wish_ to study the implementation would,...

CORS: allow users to disable preflight caching

No feedback from maintainers in more than three months... Is this project still maintained?

proposal: x/net/http/httpguts: add IsToken

@neild > the simple interim approach that doesn't require this proposal to be accepted is to add an internal `isToken` function in `net/http` I'd be fine with that!

middleware.CORSConfig can not be configured per path

@rpstw Note that `curl -vL -X OPTIONS '10.20.0.23:3323/some-path?' -H Origin:https://some-origin.com` does not correspond to a [CORS-preflight request](https://fetch.spec.whatwg.org/#cors-preflight-request): it's missing an `Access-Control-Request-Method` header. Therefore, [I wouldn't expect](https://github.com/labstack/echo/issues/2534) a properly implemented CORS...

Adding origins dynamically

FWIW, here is a post about the approach I followed to make CORS middleware reconfigurable in my Go library: https://jub0bs.com/posts/2024-05-14-reconfigurable-cors-middleware/. Perhaps it can serve as inspiration for rack-cors.

CORS middleware does not return Access-Control-Allow-Origin or Access-Control-Expose-Headers in response

@douno23 The screenshot you shared shows a request that does not include any `Origin` header; therefore, it's not a [CORS request](https://fetch.spec.whatwg.org/#cors-request).