From 5288ed0d501c57cc8a517aa7e0a1f1b5bdbf4d69 Mon Sep 17 00:00:00 2001
From: Olivier Poitrey <rs@rhapsodyk.net>
Date: Tue, 5 Sep 2023 16:19:06 +0200
Subject: [PATCH] Remove Origin always added to allowed header

Fixes #151
---
 cors.go      |  7 +++----
 cors_test.go | 19 -------------------
 2 files changed, 3 insertions(+), 23 deletions(-)

diff --git a/cors.go b/cors.go
index c330a93..c2959f2 100644
--- a/cors.go
+++ b/cors.go
@@ -64,7 +64,7 @@ type Options struct {
 	// AllowedHeaders is list of non simple headers the client is allowed to use with
 	// cross-domain requests.
 	// If the special "*" value is present in the list, all headers will be allowed.
-	// Default value is [] but "Origin" is always appended to the list.
+	// Default value is [].
 	AllowedHeaders []string
 	// ExposedHeaders indicates which headers are safe to expose to the API of a CORS
 	// API specification
@@ -187,10 +187,9 @@ func New(options Options) *Cors {
 	// Allowed Headers
 	if len(options.AllowedHeaders) == 0 {
 		// Use sensible defaults
-		c.allowedHeaders = []string{"Origin", "Accept", "Content-Type", "X-Requested-With"}
+		c.allowedHeaders = []string{"Accept", "Content-Type", "X-Requested-With"}
 	} else {
-		// Origin is always appended as some browsers will always request for this header at preflight
-		c.allowedHeaders = convert(append(options.AllowedHeaders, "Origin"), http.CanonicalHeaderKey)
+		c.allowedHeaders = convert(options.AllowedHeaders, http.CanonicalHeaderKey)
 		for _, h := range options.AllowedHeaders {
 			if h == "*" {
 				c.allowedHeadersAll = true
diff --git a/cors_test.go b/cors_test.go
index 473bc35..d2d0541 100644
--- a/cors_test.go
+++ b/cors_test.go
@@ -376,25 +376,6 @@ func TestSpec(t *testing.T) {
 			},
 			true,
 		},
-		{
-			"OriginHeader",
-			Options{
-				AllowedOrigins: []string{"http://foobar.com"},
-			},
-			"OPTIONS",
-			map[string]string{
-				"Origin":                         "http://foobar.com",
-				"Access-Control-Request-Method":  "GET",
-				"Access-Control-Request-Headers": "origin",
-			},
-			map[string]string{
-				"Vary":                         "Origin, Access-Control-Request-Method, Access-Control-Request-Headers",
-				"Access-Control-Allow-Origin":  "http://foobar.com",
-				"Access-Control-Allow-Methods": "GET",
-				"Access-Control-Allow-Headers": "Origin",
-			},
-			true,
-		},
 		{
 			"ExposedHeader",
 			Options{