fix: remove AllowCredentials check for allow origins (#16)

This commit is contained in:
Bo-Yi Wu 2017-02-27 14:30:00 +08:00 committed by GitHub
parent 79e0d17cc9
commit bec00ec825
2 changed files with 9 additions and 1 deletions

View File

@ -48,7 +48,7 @@ func (cors *cors) applyCors(c *gin.Context) {
cors.handleNormal(c) cors.handleNormal(c)
} }
if !cors.allowAllOrigins && !cors.allowCredentials { if !cors.allowAllOrigins {
c.Header("Access-Control-Allow-Origin", origin) c.Header("Access-Control-Allow-Origin", origin)
} }
} }

View File

@ -238,6 +238,12 @@ func TestPassesAllowedOrigins(t *testing.T) {
assert.Equal(t, "", w.Header().Get("Access-Control-Allow-Credentials")) assert.Equal(t, "", w.Header().Get("Access-Control-Allow-Credentials"))
assert.Equal(t, "Data,X-User", w.Header().Get("Access-Control-Expose-Headers")) assert.Equal(t, "Data,X-User", w.Header().Get("Access-Control-Expose-Headers"))
w = performRequest(router, "GET", "http://github.com")
assert.Equal(t, "get", w.Body.String())
assert.Equal(t, "http://github.com", w.Header().Get("Access-Control-Allow-Origin"))
assert.Equal(t, "", w.Header().Get("Access-Control-Allow-Credentials"))
assert.Equal(t, "Data,X-User", w.Header().Get("Access-Control-Expose-Headers"))
// deny CORS request // deny CORS request
w = performRequest(router, "GET", "https://google.com") w = performRequest(router, "GET", "https://google.com")
assert.Equal(t, 403, w.Code) assert.Equal(t, 403, w.Code)
@ -280,6 +286,7 @@ func TestPassesAllowedAllOrigins(t *testing.T) {
assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin")) assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin"))
assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials")) assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
assert.Empty(t, w.Header().Get("Access-Control-Expose-Headers")) assert.Empty(t, w.Header().Get("Access-Control-Expose-Headers"))
assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
// allowed CORS request // allowed CORS request
w = performRequest(router, "POST", "example.com") w = performRequest(router, "POST", "example.com")
@ -287,6 +294,7 @@ func TestPassesAllowedAllOrigins(t *testing.T) {
assert.Equal(t, "*", w.Header().Get("Access-Control-Allow-Origin")) assert.Equal(t, "*", w.Header().Get("Access-Control-Allow-Origin"))
assert.Equal(t, "Data2,X-User2", w.Header().Get("Access-Control-Expose-Headers")) assert.Equal(t, "Data2,X-User2", w.Header().Get("Access-Control-Expose-Headers"))
assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials")) assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
assert.Equal(t, "*", w.Header().Get("Access-Control-Allow-Origin"))
// allowed CORS prefligh request // allowed CORS prefligh request
w = performRequest(router, "OPTIONS", "https://facebook.com") w = performRequest(router, "OPTIONS", "https://facebook.com")