1

Sending cookies cross domain requires withCredential setting to true which means access-control-allow-origin cannot be wild card.

But there is an easy way around this.

w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))

This will effectively allow all origin, but is this the recommended way of doing this?

It seems like there is a reason for not allowing all origins

CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true'

What is the general recommended way of allowing all origin when withCredential is true?

Jal
  • 1,894
  • 1
  • 16
  • 29
  • You should only allow trusted origins. – Adrian Jan 29 '18 at 19:30
  • 2
    1) Create a list of allowed origins, 2) check the `r.Header.Get("Origin")` value to see if it’s an allowed origin in the list, 2a) If `r.Header.Get("Origin")` isn’t an allowed origin, do nothing (don’t send the Access-Control-Allow-Origin header back at all, 2b) if `r.Header.Get("Origin")` is an allowed origin in your list, then do `w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))` – sideshowbarker Jan 29 '18 at 22:51

0 Answers0