New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
it doesn't work #148
Comments
When you use AllowOriginFunc: func(origin string) bool {
if origin == "http://www.foo.com" {
return true
}
if origin == "https://github.com" {
return true
}
return false
} I noticed that foo.com, if you are actually testing there, is not secure, so make sure it's http not https. Secondly, github.com has a content security policy that prevents CORs requests, so it may not be a simple matter to query your server from the dev console, for example. |
i have tried this, but doesn't work either. |
@douno23 The screenshot you shared shows a request that does not include any |
i have the same problem |
@go-english What problem? If the request doesn't contain any |
@jub0bs HI,bro.thanks for your reply. var Router = gin.Default()
Router.Use(middleware.NewCors())
func NewCors() gin.HandlerFunc
return cors.New(cors.Config{
AllowOrigins: []string{"https://www.myhome.com"},
AllowMethods: []string{"POST", "GET", "OPTIONS"},
AllowHeaders: []string{"Content-Type", "x-token"},
ExposeHeaders: []string{"Content-Length", "Access-Control-Allow-Origin", "Access-Control-Allow-Headers", "Content-Type"},
AllowCredentials: true,
MaxAge: 7 * time.Hour * 24,
AllowAllOrigins: false,
})
}
} i have the issue,if i set origins:"https://www.myhome.com" |
i think i find problem,in cors.config.go func (cors *cors) applyCors(c *gin.Context) {
origin := c.Request.Header.Get("Origin")
if len(origin) == 0 {
// request is not a CORS request
return
}
host := c.Request.Host
if origin == "http://"+host || origin == "https://"+host {
// request is not a CORS request but have origin header.
// for example, use fetch api
return
}
if !cors.validateOrigin(origin) {
c.AbortWithStatus(http.StatusForbidden)
return
}
if c.Request.Method == "OPTIONS" {
cors.handlePreflight(c)
defer c.AbortWithStatus(cors.optionsResponseStatusCode)
} else {
cors.handleNormal(c)
}
if !cors.allowAllOrigins {
c.Header("Access-Control-Allow-Origin", origin)
}
}`
allow all access,if don't set header origin.
i don't known,why?Shouldn't it be disabled by default? |
@go-english I'm not sure I understand the issue. Can you post one or more |
@jub0bs That i'm say,i set origin:https://www.myhome.com, expect only this url can access my server(https://www.myserver.com/), but i found i misunderstand .than i find this description in what is origin |
@go-english I think you misunderstand the purpose of CORS. Contrary to popular belief, CORS is no substitute for server-side authorisation. Rather, CORS is a protocol that lets servers instruct browsers to relax the Same-Origin Policy's restrictions for select clients. All other things being equal, activating CORS makes your users less (not more) secure. Besides, not all user agents implement the SOP or CORS. You shouldn't be surprised that you're able to spoof the |
@jub0bs Yean,bro!I think i finally understand CORS can do something and not can do something.Thinks for you patience,have a nice day! |
here is the code:
browser response:
postman response
can not find
Access-Control-Allow-Origin
Access-Control-Expose-Headers
and so onThe text was updated successfully, but these errors were encountered: