1

Sending cookies cross domain requires withCredential setting to true which means access-control-allow-origin cannot be wild card.

But there is an easy way around this.

w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))

This will effectively allow all origin, but is this the recommended way of doing this?

It seems like there is a reason for not allowing all origins

CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true'

What is the general recommended way of allowing all origin when withCredential is true?

Jal
  • 2,174
  • 1
  • 18
  • 37
  • You should only allow trusted origins. – Adrian Jan 29 '18 at 19:30
  • 2
    1) Create a list of allowed origins, 2) check the `r.Header.Get("Origin")` value to see if it’s an allowed origin in the list, 2a) If `r.Header.Get("Origin")` isn’t an allowed origin, do nothing (don’t send the Access-Control-Allow-Origin header back at all, 2b) if `r.Header.Get("Origin")` is an allowed origin in your list, then do `w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))` – sideshowbarker Jan 29 '18 at 22:51
  • Allowing all origins with credentials is wildly insecure, because it exposes your users to cross-origin attacks, as described in https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties. Don't do it. Instead, only allow origins from a restricted allowlist. Or if you must allow all origins, don't rely on cookie-based authentication. – jub0bs Feb 12 '23 at 14:57

0 Answers0