mirror of https://github.com/gofiber/fiber.git
🩹 Fix: Middleware/CORS Remove Scheme Restriction (#3163)
🩹 Fix: middleware/cors remove scheme restriction (gofiber#3160)
Co-authored-by: Aaron Zingerle <aaron.zingerle@vipaso.io>
Co-authored-by: M. Efe Çetin <efectn@protonmail.com>
pull/3164/head
Aaron Zingerle
GitHub
parent
3fc1b29748
commit
079d301c50
|
|
@ -37,11 +37,6 @@ func normalizeOrigin(origin string) (bool, string) {
|
|||
return false, ""
|
||||
}
|
||||
|
||||
// Validate the scheme is either http or https
|
||||
if parsedOrigin.Scheme != "http" && parsedOrigin.Scheme != "https" {
|
||||
return false, ""
|
||||
}
|
||||
|
||||
// Don't allow a wildcard with a protocol
|
||||
// wildcards cannot be used within any other value. For example, the following header is not valid:
|
||||
// Access-Control-Allow-Origin: https://*
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ func Test_NormalizeOrigin(t *testing.T) {
|
|||
{origin: "http://example.com/", expectedValid: true, expectedOrigin: "http://example.com"}, // Trailing slash should be removed.
|
||||
{origin: "http://example.com:3000", expectedValid: true, expectedOrigin: "http://example.com:3000"}, // Port should be preserved.
|
||||
{origin: "http://example.com:3000/", expectedValid: true, expectedOrigin: "http://example.com:3000"}, // Trailing slash should be removed.
|
||||
{origin: "app://example.com/", expectedValid: true, expectedOrigin: "app://example.com"}, // App scheme should be accepted.
|
||||
{origin: "http://", expectedValid: false, expectedOrigin: ""}, // Invalid origin should not be accepted.
|
||||
{origin: "file:///etc/passwd", expectedValid: false, expectedOrigin: ""}, // File scheme should not be accepted.
|
||||
{origin: "https://*example.com", expectedValid: false, expectedOrigin: ""}, // Wildcard domain should not be accepted.
|
||||
|
|
|
|||
Loading…
Reference in New Issue