Description
Bug Description
I tried to set the CORS config AllowedOriginsFunc to define my custom logic for Origin header handling. The response always returned * in the Access-Control-Allow-Origin header. I expected the header to contain the origin allowed by the AllowedOriginFunc config I defined before.
I checked the code and found that the AllowedOrigins config was set to * when it was empty, which IMO is not required if the AllowedOriginsFunc config is already defined. When the user sets the AllowedOriginsFunc then they should know that the AllowedOrigins config will not be used or ignored.
I think this is a bug and should be fixed. I can make time for it. Let me know if you think otherwise. Thank you.
How to Reproduce
- Set CORS middleware with only
AllowedOriginsFuncconfig defined. - The preflight (OPTIONS) request will always return
Access-Control-Allow-Originheader with value*.
Expected Behavior
The middleware should return Access-Control-Allow-Origin header with a value containing the origin allowed by AllowedOriginsFunc config instead of *.
Fiber Version
2.49.2
Code Snippet (optional)
package main
import "github.com/gofiber/fiber/v2"
import "github.com/gofiber/fiber/v2/middleware/cors"
import "log"
import "strings"
func main() {
app := fiber.New()
// Steps to reproduce
app.Use(cors.New(cors.Config{
AllowOriginsFunc: func(origin string) bool {
// Complicated logic here
return strings.HasSuffix(origin, "example.com:13131")
},
}))
log.Fatal(app.Listen(":3000"))
}Checklist:
- I agree to follow Fiber's Code of Conduct.
- I have checked for existing issues that describe my problem prior to opening this one.
- I understand that improperly formatted bug reports may be closed without explanation.