Fix CORS Access-Control-Allow-Origin in DEBUG

- Change the wildcard origin `*` to `http://*` and `https://*` in case of broswer blocking cookie request.
NUAA-Open-Source · Mar 28, 2019 · 21d5cef · 21d5cef
1 parent 231c30e
commit 21d5cef
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -4,6 +4,7 @@ log/
 # Ignore docker database volume
 db-data/
 data/
+data-dev/
 
 # Ignore binary file and only file
 safeu-backend

diff --git a/common/const.go b/common/const.go
@@ -72,12 +72,18 @@ var CORS_ALLOW_ORIGINS = []string{
 	"http://test.safeu.a2os.club",
 }
 
+var CORS_ALLOW_DEBUG_ORIGINS = []string{
+	"http://*",
+	"https://*",
+}
+
 var CORS_ALLOW_HEADERS = []string{
 	"Origin",
 	"Content-Length",
 	"Content-Type",
 	"Token",
 	"X-CSRF-TOKEN",
+	"withCredentials",
 }
 
 var CORS_ALLOW_METHODS = []string{

diff --git a/main.go b/main.go
@@ -94,11 +94,15 @@ func main() {
 	// CORS
 	if common.DEBUG {
 		r.Use(cors.New(cors.Config{
-			AllowAllOrigins:  true,
+			// The value of the 'Access-Control-Allow-Origin' header in the
+			// response must not be the wildcard '*' when the request's
+			// credentials mode is 'include'.
+			AllowOrigins:     common.CORS_ALLOW_DEBUG_ORIGINS,
 			AllowMethods:     common.CORS_ALLOW_METHODS,
 			AllowHeaders:     common.CORS_ALLOW_HEADERS,
 			ExposeHeaders:    common.CORS_EXPOSE_HEADERS,
 			AllowCredentials: true,
+			AllowWildcard:    true,
 			MaxAge:           12 * time.Hour,
 		}))
 		//r.Use(CORS())