From 079d301c5006f633066eb0b59e8250a818cb802f Mon Sep 17 00:00:00 2001
From: Aaron Zingerle <aaron.zingerle@gmail.com>
Date: Fri, 11 Oct 2024 14:02:36 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=A9=B9=20Fix:=20Middleware/CORS=20Remove?=
 =?UTF-8?q?=20Scheme=20Restriction=20(#3163)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🩹 Fix: middleware/cors remove scheme restriction (gofiber#3160)

Co-authored-by: Aaron Zingerle <aaron.zingerle@vipaso.io>
Co-authored-by: M. Efe Çetin <efectn@protonmail.com>
---
 middleware/cors/utils.go      | 5 -----
 middleware/cors/utils_test.go | 1 +
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/middleware/cors/utils.go b/middleware/cors/utils.go
index f5338dcc..66ed9248 100644
--- a/middleware/cors/utils.go
+++ b/middleware/cors/utils.go
@@ -37,11 +37,6 @@ func normalizeOrigin(origin string) (bool, string) {
 		return false, ""
 	}
 
-	// Validate the scheme is either http or https
-	if parsedOrigin.Scheme != "http" && parsedOrigin.Scheme != "https" {
-		return false, ""
-	}
-
 	// Don't allow a wildcard with a protocol
 	// wildcards cannot be used within any other value. For example, the following header is not valid:
 	// Access-Control-Allow-Origin: https://*
diff --git a/middleware/cors/utils_test.go b/middleware/cors/utils_test.go
index 84f217e5..3fc48535 100644
--- a/middleware/cors/utils_test.go
+++ b/middleware/cors/utils_test.go
@@ -17,6 +17,7 @@ func Test_NormalizeOrigin(t *testing.T) {
 		{origin: "http://example.com/", expectedValid: true, expectedOrigin: "http://example.com"},                      // Trailing slash should be removed.
 		{origin: "http://example.com:3000", expectedValid: true, expectedOrigin: "http://example.com:3000"},             // Port should be preserved.
 		{origin: "http://example.com:3000/", expectedValid: true, expectedOrigin: "http://example.com:3000"},            // Trailing slash should be removed.
+		{origin: "app://example.com/", expectedValid: true, expectedOrigin: "app://example.com"},                        // App scheme should be accepted.
 		{origin: "http://", expectedValid: false, expectedOrigin: ""},                                                   // Invalid origin should not be accepted.
 		{origin: "file:///etc/passwd", expectedValid: false, expectedOrigin: ""},                                        // File scheme should not be accepted.
 		{origin: "https://*example.com", expectedValid: false, expectedOrigin: ""},                                      // Wildcard domain should not be accepted.