go-zero icon indicating copy to clipboard operation
go-zero copied to clipboard

Published 20 hours ago verified publisher icon zeromicro

CORS optimization

Open Meppo opened this issue 2 years ago • 8 comments

go-zero v1.5.1

rest.withCors 返回的 Access-Control-Allow-Origin:* 现在浏览器都不认这个了 1db682ae010d19c5ab07ab6a6d01b10

rest.WithCustomCors() 也只能用来固定返回哪几个Origin

建议直接支持 设置 Access-Control-Allow-Origin: 原请求中的Origin

Meppo avatar Jun 01 '23 05:06 Meppo

Can I take a look at this? Thanks

jjkoh95 avatar Jun 13 '23 05:06 jjkoh95

IMO it is dangerous to set back the request origin as default behaviour of allow all domains, and other frameworks don't do it either.

When withCredentials is set to true, it is trying to send credentials or cookies along with the request. As that means another origin is potentially trying to do authenticated requests, the wildcard ("*") is not permitted as the "Access-Control-Allow-Origin" header.

https://stackoverflow.com/questions/42803394/cors-credentials-mode-is-include

zcong1993 avatar Jun 13 '23 10:06 zcong1993

Hi, Can i take look in this Thanks

mahfoos avatar Sep 12 '23 14:09 mahfoos

Hi is this issue still open

majjikishore007 avatar Nov 02 '23 16:11 majjikishore007

Please assign the issue to me and I will try to solve it

yanzhuiyun avatar Nov 14 '23 07:11 yanzhuiyun

it looks intertsting , please assign me !

saleroa avatar Jun 26 '24 15:06 saleroa

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

it looks intertsting , please assign me !

Issues-translate-bot avatar Jun 26 '24 15:06 Issues-translate-bot

Hello, I want to try to optimize this problem but now I have some questions I want to confirm with you. Should we directly replace the part in the code that sets Access-Control-Allow-Origin to * with Access-Control-Allow-Origin as the original Origin, or should we use Optional mode to set a flag that the user can only enable after setting the flag. Change Access-Control-Allow-Origin to the original Origin. (Note:This is my first time participating in an open source project. If there are any communication problems, please let me know.)

// we directly replace the part in the code that sets Access-Control-Allow-Origin to * with Access-Control-Allow-Origin as the original Origin
// after modification
func checkAndSetHeaders(w http.ResponseWriter, r *http.Request, origins []string) {
	setVaryHeaders(w, r)

	origin := r.Header.Get(originHeader)
	if len(origins) == 0 {
		setHeader(w, origin)
		return
	}
	
	if isOriginAllowed(origins, origin) {
		setHeader(w, origin)
	}
}

potatocheng avatar Sep 17 '24 07:09 potatocheng

is the issue still open?

akulabs8 avatar Oct 31 '24 11:10 akulabs8

Hello, I want to try to optimize this problem but now I have some questions I want to confirm with you. Should we directly replace the part in the code that sets Access-Control-Allow-Origin to * with Access-Control-Allow-Origin as the original Origin, or should we use Optional mode to set a flag that the user can only enable after setting the flag. Change Access-Control-Allow-Origin to the original Origin. (Note:This is my first time participating in an open source project. If there are any communication problems, please let me know.)

// we directly replace the part in the code that sets Access-Control-Allow-Origin to * with Access-Control-Allow-Origin as the original Origin
// after modification
func checkAndSetHeaders(w http.ResponseWriter, r *http.Request, origins []string) {
	setVaryHeaders(w, r)

	origin := r.Header.Get(originHeader)
	if len(origins) == 0 {
		setHeader(w, origin)
		return
	}
	
	if isOriginAllowed(origins, origin) {
		setHeader(w, origin)
	}
}

should set "use Optional mode to set a flag that the user can only enable after setting the flag" , it's better don't modify the code in used

Meppo avatar Nov 01 '24 01:11 Meppo