allow all origins wildcard not supported by chrome

Question

allow all origins wildcard not supported by chrome

cameronbraid opened this issue 3 years ago · comments

Am getting an error in chrome dev tools :

Access to CSS stylesheet at 'https://..' from origin 'https://...' has been blocked by CORS policy:
 The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard
  '*' when the request's credentials mode is 'include'.
16:11:31.942

How should I handle this to make go-chi write the request origin header instead ?

Cameron Braid · Answer 1 · Wed May 12 2021 14:59:02 GMT+0800 (China Standard Time)

I found a workaround

use AllowedOrigins=["https://*","http://*"] and AllowCredentials=true

Joe Santos · Answer 2 · Sun Mar 26 2023 00:54:31 GMT+0800 (China Standard Time)

Should the library default URLs without a protocol to contain on the []slice a version with http and a version with https?
Probably not, it would introduce a bit of "magic" and maybe the developer should know that he needs to set them. If so, should this be documented on the documentation? Should an error be thrown in case the developer doesn't set the protocols?

I can work on this upon decisions.