From bec00ec82559b4f4905818c2bbd7441dd64277af Mon Sep 17 00:00:00 2001
From: Bo-Yi Wu <appleboy.tw@gmail.com>
Date: Mon, 27 Feb 2017 14:30:00 +0800
Subject: [PATCH] fix: remove AllowCredentials check for allow origins (#16)

---
 config.go    | 2 +-
 cors_test.go | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/config.go b/config.go
index cd360bc..5230975 100644
--- a/config.go
+++ b/config.go
@@ -48,7 +48,7 @@ func (cors *cors) applyCors(c *gin.Context) {
 		cors.handleNormal(c)
 	}
 
-	if !cors.allowAllOrigins && !cors.allowCredentials {
+	if !cors.allowAllOrigins {
 		c.Header("Access-Control-Allow-Origin", origin)
 	}
 }
diff --git a/cors_test.go b/cors_test.go
index b65cb6d..f242418 100644
--- a/cors_test.go
+++ b/cors_test.go
@@ -238,6 +238,12 @@ func TestPassesAllowedOrigins(t *testing.T) {
 	assert.Equal(t, "", w.Header().Get("Access-Control-Allow-Credentials"))
 	assert.Equal(t, "Data,X-User", w.Header().Get("Access-Control-Expose-Headers"))
 
+	w = performRequest(router, "GET", "http://github.com")
+	assert.Equal(t, "get", w.Body.String())
+	assert.Equal(t, "http://github.com", w.Header().Get("Access-Control-Allow-Origin"))
+	assert.Equal(t, "", w.Header().Get("Access-Control-Allow-Credentials"))
+	assert.Equal(t, "Data,X-User", w.Header().Get("Access-Control-Expose-Headers"))
+
 	// deny CORS request
 	w = performRequest(router, "GET", "https://google.com")
 	assert.Equal(t, 403, w.Code)
@@ -280,6 +286,7 @@ func TestPassesAllowedAllOrigins(t *testing.T) {
 	assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin"))
 	assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
 	assert.Empty(t, w.Header().Get("Access-Control-Expose-Headers"))
+	assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
 
 	// allowed CORS request
 	w = performRequest(router, "POST", "example.com")
@@ -287,6 +294,7 @@ func TestPassesAllowedAllOrigins(t *testing.T) {
 	assert.Equal(t, "*", w.Header().Get("Access-Control-Allow-Origin"))
 	assert.Equal(t, "Data2,X-User2", w.Header().Get("Access-Control-Expose-Headers"))
 	assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
+	assert.Equal(t, "*", w.Header().Get("Access-Control-Allow-Origin"))
 
 	// allowed CORS prefligh request
 	w = performRequest(router, "OPTIONS", "https://facebook.com")