7 changed files with 51 additions and 84 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -2,10 +2,9 @@ language: go
 sudo: false

 go:
-  - 1.6.x
-  - 1.7.x
-  - 1.8.x
-  - 1.9.x
+  - 1.5.4
+  - 1.6.3
+  - 1.7.3
  - tip

 script:
--- a/README.md
+++ b/README.md
@ -4,7 +4,8 @@
 [![codecov](https://codecov.io/gh/gin-contrib/cors/branch/master/graph/badge.svg)](https://codecov.io/gh/gin-contrib/cors)
 [![Go Report Card](https://goreportcard.com/badge/github.com/gin-contrib/cors)](https://goreportcard.com/report/github.com/gin-contrib/cors)
 [![GoDoc](https://godoc.org/github.com/gin-contrib/cors?status.svg)](https://godoc.org/github.com/gin-contrib/cors)
-[![Join the chat at https://gitter.im/gin-gonic/gin](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/gin-gonic/gin)
+[![Join the chat at https://gitter.im/gin-gonic/gin](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/gin-gonic/gin?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+

 Gin middleware/handler to enable CORS support.

@ -12,16 +13,16 @@ Gin middleware/handler to enable CORS support.

 ### Start using it

-Download and install it:
+1. Download and install it:

 ```sh
-$ go get github.com/gin-contrib/cors
+$ go get gopkg.in/gin-contrib/cors.v1
 ```

-Import it in your code:
+2. Import it in your code:

 ```go
-import "github.com/gin-contrib/cors"
+import "gopkg.in/gin-contrib/cors.v1"
 ```

 ### Canonical example:
@ -32,8 +33,8 @@ package main
 import (
 	"time"

-	"github.com/gin-contrib/cors"
-	"github.com/gin-gonic/gin"
+	"gopkg.in/gin-contrib/cors.v1"
+	"gopkg.in/gin-gonic/gin.v1"
 )

 func main() {
--- a/config.go
+++ b/config.go
@ -3,12 +3,11 @@ package cors
 import (
 	"net/http"

-	"github.com/gin-gonic/gin"
+	"gopkg.in/gin-gonic/gin.v1"
 )

 type cors struct {
 	allowAllOrigins  bool
-	allowCredentials bool
 	allowOriginFunc  func(string) bool
 	allowOrigins     []string
 	exposeHeaders    []string
@ -23,7 +22,6 @@ func newCors(config Config) *cors {
 	return &cors{
 		allowOriginFunc:  config.AllowOriginFunc,
 		allowAllOrigins:  config.AllowAllOrigins,
-		allowCredentials: config.AllowCredentials,
 		allowOrigins:     normalize(config.AllowOrigins),
 		normalHeaders:    generateNormalHeaders(config),
 		preflightHeaders: generatePreflightHeaders(config),
--- a/cors.go
+++ b/cors.go
@ -5,7 +5,7 @@ import (
 	"strings"
 	"time"

-	"github.com/gin-gonic/gin"
+	"gopkg.in/gin-gonic/gin.v1"
 )

 // Config represents all available options for the middleware.
@ -14,7 +14,7 @@ type Config struct {

 	// AllowedOrigins is a list of origins a cross-domain request can be executed from.
 	// If the special "*" value is present in the list, all origins will be allowed.
-	// Default value is []
+	// Default value is ["*"]
 	AllowOrigins []string

 	// AllowOriginFunc is a custom function to validate the origin. It take the origin
@ -28,6 +28,8 @@ type Config struct {

 	// AllowedHeaders is list of non simple headers the client is allowed to use with
 	// cross-domain requests.
+	// If the special "*" value is present in the list, all headers will be allowed.
+	// Default value is [] but "Origin" is always appended to the list.
 	AllowHeaders []string

 	// AllowCredentials indicates whether the request can include user credentials like
@ -67,8 +69,8 @@ func (c Config) Validate() error {
 		return errors.New("conflict settings: all origins disabled")
 	}
 	for _, origin := range c.AllowOrigins {
-		if origin != "*" && !strings.HasPrefix(origin, "http://") && !strings.HasPrefix(origin, "https://") {
-			return errors.New("bad origin: origins must either be '*' or include http:// or https://")
+		if !strings.HasPrefix(origin, "http://") && !strings.HasPrefix(origin, "https://") {
+			return errors.New("bad origin: origins must include http:// or https://")
 		}
 	}
 	return nil
--- a/cors_test.go
+++ b/cors_test.go
@ -3,12 +3,11 @@ package cors
 import (
 	"net/http"
 	"net/http/httptest"
-	"strings"
 	"testing"
 	"time"

-	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
+	"gopkg.in/gin-gonic/gin.v1"
 )

 func init() {
@ -95,14 +94,6 @@ func TestNormalize(t *testing.T) {
 	assert.Equal(t, values, []string{})
 }

-func TestConvert(t *testing.T) {
-	methods := []string{"Get", "GET", "get"}
-	headers := []string{"X-CSRF-TOKEN", "X-CSRF-Token", "x-csrf-token"}
-
-	assert.Equal(t, []string{"GET", "GET", "GET"}, convert(methods, strings.ToUpper))
-	assert.Equal(t, []string{"X-Csrf-Token", "X-Csrf-Token", "X-Csrf-Token"}, convert(headers, http.CanonicalHeaderKey))
-}
-
 func TestGenerateNormalHeaders_AllowAllOrigins(t *testing.T) {
 	header := generateNormalHeaders(Config{
 		AllowAllOrigins: false,
@ -132,7 +123,7 @@ func TestGenerateNormalHeaders_ExposedHeaders(t *testing.T) {
 	header := generateNormalHeaders(Config{
 		ExposeHeaders: []string{"X-user", "xPassword"},
 	})
-	assert.Equal(t, header.Get("Access-Control-Expose-Headers"), "X-User,Xpassword")
+	assert.Equal(t, header.Get("Access-Control-Expose-Headers"), "x-user,xpassword")
 	assert.Equal(t, header.Get("Vary"), "Origin")
 	assert.Len(t, header, 2)
 }
@ -166,7 +157,7 @@ func TestGeneratePreflightHeaders_AllowedMethods(t *testing.T) {
 	header := generatePreflightHeaders(Config{
 		AllowMethods: []string{"GET ", "post", "PUT", " put  "},
 	})
-	assert.Equal(t, header.Get("Access-Control-Allow-Methods"), "GET,POST,PUT")
+	assert.Equal(t, header.Get("Access-Control-Allow-Methods"), "get,post,put")
 	assert.Equal(t, header.Get("Vary"), "Origin")
 	assert.Len(t, header, 2)
 }
@ -175,7 +166,7 @@ func TestGeneratePreflightHeaders_AllowedHeaders(t *testing.T) {
 	header := generatePreflightHeaders(Config{
 		AllowHeaders: []string{"X-user", "Content-Type"},
 	})
-	assert.Equal(t, header.Get("Access-Control-Allow-Headers"), "X-User,Content-Type")
+	assert.Equal(t, header.Get("Access-Control-Allow-Headers"), "x-user,content-type")
 	assert.Equal(t, header.Get("Vary"), "Origin")
 	assert.Len(t, header, 2)
 }
@ -217,7 +208,7 @@ func TestPassesAllowedOrigins(t *testing.T) {
 		AllowMethods:     []string{" GeT ", "get", "post", "PUT  ", "Head", "POST"},
 		AllowHeaders:     []string{"Content-type", "timeStamp "},
 		ExposeHeaders:    []string{"Data", "x-User"},
-		AllowCredentials: false,
+		AllowCredentials: true,
 		MaxAge:           12 * time.Hour,
 		AllowOriginFunc: func(origin string) bool {
 			return origin == "http://github.com"
@ -226,43 +217,37 @@ func TestPassesAllowedOrigins(t *testing.T) {

 	// no CORS request, origin == ""
 	w := performRequest(router, "GET", "")
-	assert.Equal(t, "get", w.Body.String())
+	assert.Equal(t, w.Body.String(), "get")
 	assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin"))
 	assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
 	assert.Empty(t, w.Header().Get("Access-Control-Expose-Headers"))

 	// allowed CORS request
 	w = performRequest(router, "GET", "http://google.com")
-	assert.Equal(t, "get", w.Body.String())
-	assert.Equal(t, "http://google.com", w.Header().Get("Access-Control-Allow-Origin"))
-	assert.Equal(t, "", w.Header().Get("Access-Control-Allow-Credentials"))
-	assert.Equal(t, "Data,X-User", w.Header().Get("Access-Control-Expose-Headers"))
-
-	w = performRequest(router, "GET", "http://github.com")
-	assert.Equal(t, "get", w.Body.String())
-	assert.Equal(t, "http://github.com", w.Header().Get("Access-Control-Allow-Origin"))
-	assert.Equal(t, "", w.Header().Get("Access-Control-Allow-Credentials"))
-	assert.Equal(t, "Data,X-User", w.Header().Get("Access-Control-Expose-Headers"))
+	assert.Equal(t, w.Body.String(), "get")
+	assert.Equal(t, w.Header().Get("Access-Control-Allow-Origin"), "http://google.com")
+	assert.Equal(t, w.Header().Get("Access-Control-Allow-Credentials"), "true")
+	assert.Equal(t, w.Header().Get("Access-Control-Expose-Headers"), "data,x-user")

 	// deny CORS request
 	w = performRequest(router, "GET", "https://google.com")
-	assert.Equal(t, 403, w.Code)
+	assert.Equal(t, w.Code, 403)
 	assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin"))
 	assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
 	assert.Empty(t, w.Header().Get("Access-Control-Expose-Headers"))

 	// allowed CORS prefligh request
 	w = performRequest(router, "OPTIONS", "http://github.com")
-	assert.Equal(t, 200, w.Code)
-	assert.Equal(t, "http://github.com", w.Header().Get("Access-Control-Allow-Origin"))
-	assert.Equal(t, "", w.Header().Get("Access-Control-Allow-Credentials"))
-	assert.Equal(t, "GET,POST,PUT,HEAD", w.Header().Get("Access-Control-Allow-Methods"))
-	assert.Equal(t, "Content-Type,Timestamp", w.Header().Get("Access-Control-Allow-Headers"))
-	assert.Equal(t, "43200", w.Header().Get("Access-Control-Max-Age"))
+	assert.Equal(t, w.Code, 200)
+	assert.Equal(t, w.Header().Get("Access-Control-Allow-Origin"), "http://github.com")
+	assert.Equal(t, w.Header().Get("Access-Control-Allow-Credentials"), "true")
+	assert.Equal(t, w.Header().Get("Access-Control-Allow-Methods"), "get,post,put,head")
+	assert.Equal(t, w.Header().Get("Access-Control-Allow-Headers"), "content-type,timestamp")
+	assert.Equal(t, w.Header().Get("Access-Control-Max-Age"), "43200")

 	// deny CORS prefligh request
 	w = performRequest(router, "OPTIONS", "http://example.com")
-	assert.Equal(t, 403, w.Code)
+	assert.Equal(t, w.Code, 403)
 	assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin"))
 	assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
 	assert.Empty(t, w.Header().Get("Access-Control-Allow-Methods"))
@ -282,26 +267,24 @@ func TestPassesAllowedAllOrigins(t *testing.T) {

 	// no CORS request, origin == ""
 	w := performRequest(router, "GET", "")
-	assert.Equal(t, "get", w.Body.String())
+	assert.Equal(t, w.Body.String(), "get")
 	assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin"))
 	assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
 	assert.Empty(t, w.Header().Get("Access-Control-Expose-Headers"))
-	assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))

 	// allowed CORS request
 	w = performRequest(router, "POST", "example.com")
-	assert.Equal(t, "post", w.Body.String())
-	assert.Equal(t, "*", w.Header().Get("Access-Control-Allow-Origin"))
-	assert.Equal(t, "Data2,X-User2", w.Header().Get("Access-Control-Expose-Headers"))
+	assert.Equal(t, w.Body.String(), "post")
+	assert.Equal(t, w.Header().Get("Access-Control-Allow-Origin"), "*")
+	assert.Equal(t, w.Header().Get("Access-Control-Expose-Headers"), "data2,x-user2")
 	assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
-	assert.Equal(t, "*", w.Header().Get("Access-Control-Allow-Origin"))

 	// allowed CORS prefligh request
 	w = performRequest(router, "OPTIONS", "https://facebook.com")
-	assert.Equal(t, 200, w.Code)
-	assert.Equal(t, "*", w.Header().Get("Access-Control-Allow-Origin"))
-	assert.Equal(t, "PATCH,GET,POST", w.Header().Get("Access-Control-Allow-Methods"))
-	assert.Equal(t, "Content-Type,Testheader", w.Header().Get("Access-Control-Allow-Headers"))
-	assert.Equal(t, "36000", w.Header().Get("Access-Control-Max-Age"))
+	assert.Equal(t, w.Code, 200)
+	assert.Equal(t, w.Header().Get("Access-Control-Allow-Origin"), "*")
+	assert.Equal(t, w.Header().Get("Access-Control-Allow-Methods"), "patch,get,post")
+	assert.Equal(t, w.Header().Get("Access-Control-Allow-Headers"), "content-type,testheader")
+	assert.Equal(t, w.Header().Get("Access-Control-Max-Age"), "36000")
 	assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
 }
--- a/examples/example.go
+++ b/examples/example.go
@ -3,8 +3,8 @@ package main
 import (
 	"time"

-	"github.com/gin-contrib/cors"
-	"github.com/gin-gonic/gin"
+	"gopkg.in/gin-contrib/cors.v1"
+	"gopkg.in/gin-gonic/gin.v1"
 )

 func main() {
--- a/utils.go
+++ b/utils.go
@ -7,15 +7,13 @@ import (
 	"time"
 )

-type converter func(string) string
-
 func generateNormalHeaders(c Config) http.Header {
 	headers := make(http.Header)
 	if c.AllowCredentials {
 		headers.Set("Access-Control-Allow-Credentials", "true")
 	}
 	if len(c.ExposeHeaders) > 0 {
-		exposeHeaders := convert(normalize(c.ExposeHeaders), http.CanonicalHeaderKey)
+		exposeHeaders := normalize(c.ExposeHeaders)
 		headers.Set("Access-Control-Expose-Headers", strings.Join(exposeHeaders, ","))
 	}
 	if c.AllowAllOrigins {
@ -32,12 +30,12 @@ func generatePreflightHeaders(c Config) http.Header {
 		headers.Set("Access-Control-Allow-Credentials", "true")
 	}
 	if len(c.AllowMethods) > 0 {
-		allowMethods := convert(normalize(c.AllowMethods), strings.ToUpper)
+		allowMethods := normalize(c.AllowMethods)
 		value := strings.Join(allowMethods, ",")
 		headers.Set("Access-Control-Allow-Methods", value)
 	}
 	if len(c.AllowHeaders) > 0 {
-		allowHeaders := convert(normalize(c.AllowHeaders), http.CanonicalHeaderKey)
+		allowHeaders := normalize(c.AllowHeaders)
 		value := strings.Join(allowHeaders, ",")
 		headers.Set("Access-Control-Allow-Headers", value)
 	}
@ -48,13 +46,7 @@ func generatePreflightHeaders(c Config) http.Header {
 	if c.AllowAllOrigins {
 		headers.Set("Access-Control-Allow-Origin", "*")
 	} else {
-		// Always set Vary headers
-		// see https://github.com/rs/cors/issues/10,
-		// https://github.com/rs/cors/commit/dbdca4d95feaa7511a46e6f1efb3b3aa505bc43f#commitcomment-12352001
-
-		headers.Add("Vary", "Origin")
-		headers.Add("Vary", "Access-Control-Request-Method")
-		headers.Add("Vary", "Access-Control-Request-Headers")
+		headers.Set("Vary", "Origin")
 	}
 	return headers
 }
@ -75,11 +67,3 @@ func normalize(values []string) []string {
 	}
 	return normalized
 }
-
-func convert(s []string, c converter) []string {
-	var out []string
-	for _, i := range s {
-		out = append(out, c(i))
-	}
-	return out
-}