Merge pull request #147 from gofr-dev/en/remove_origin_header_from_CORS

Vipul Rawat · web-flow · commit afe327688879 · 2023-12-27T11:54:07.000+05:30
remove Origin from the list of necessary CORS header
diff --git a/pkg/middleware/cors.go b/pkg/middleware/cors.go
@@ -10,7 +10,7 @@ import (
 )
 
 const (
-	allowedHeaders = "Authorization, Content-Type, x-requested-with, origin, true-client-ip, X-Correlation-ID"
+	allowedHeaders = "Authorization, Content-Type, x-requested-with, true-client-ip, X-Correlation-ID"
 	allowedMethods = "PUT, POST, GET, DELETE, OPTIONS, PATCH"
 )
 
@@ -47,8 +47,6 @@ func getValidCORSHeaders(envHeaders map[string]string) map[string]string {
 
 		// If config is not set - for the three headers, set default value.
 		switch header {
-		case "Access-Control-Allow-Origin":
-			validCORSHeadersAndValues[header] = "*"
 		case "Access-Control-Allow-Headers":
 			validCORSHeadersAndValues[header] = allowedHeaders
 		case "Access-Control-Allow-Methods":
@@ -68,7 +66,6 @@ func getValidCORSHeaders(envHeaders map[string]string) map[string]string {
 // AllowedCORSHeader returns the HTTP headers used for CORS configuration in web applications.
 func AllowedCORSHeader() []string {
 	return []string{
-		"Access-Control-Allow-Origin",
 		"Access-Control-Allow-Headers",
 		"Access-Control-Allow-Methods",
 		"Access-Control-Allow-Credentials",
diff --git a/pkg/middleware/cors_test.go b/pkg/middleware/cors_test.go
@@ -57,20 +57,17 @@ func Test_getValidCORSHeaders(t *testing.T) {
 	}{
 		{map[string]string{},
 			map[string]string{
-				"Access-Control-Allow-Origin":  "*",
 				"Access-Control-Allow-Headers": allowedHeaders,
 				"Access-Control-Allow-Methods": allowedMethods,
 			},
 		},
 		{map[string]string{
 			"Access-Control-Max-Age":       strconv.Itoa(600),
 			"Access-Control-Allow-Headers": "",
-			"Access-Control-Allow-Origin":  "same-origin",
 			"Access-Control-Allow-Methods": http.MethodPost,
 		},
 			map[string]string{
 				"Access-Control-Max-Age":       strconv.Itoa(600),
-				"Access-Control-Allow-Origin":  "same-origin",
 				"Access-Control-Allow-Headers": allowedHeaders,
 				"Access-Control-Allow-Methods": http.MethodPost,
 			},
@@ -79,7 +76,6 @@ func Test_getValidCORSHeaders(t *testing.T) {
 			"Access-Control-Allow-Headers": "clientid",
 		},
 			map[string]string{
-				"Access-Control-Allow-Origin":  "*",
 				"Access-Control-Allow-Headers": allowedHeaders + ", clientid",
 				"Access-Control-Allow-Methods": allowedMethods,
 			},
@@ -93,7 +89,6 @@ func Test_getValidCORSHeaders(t *testing.T) {
 			map[string]string{
 				"Access-Control-Allow-Credentials": "true",
 				"Access-Control-Max-Age":           strconv.Itoa(600),
-				"Access-Control-Allow-Origin":      "*",
 				"Access-Control-Allow-Headers":     allowedHeaders,
 				"Access-Control-Allow-Methods":     allowedMethods,
 			},
