http: CORS should not be send if not set (#6433)

2025-08-18 01:20:16 +02:00 · 2023-07-29 02:58:37 +00:00
parent e66675d346
commit f4449440f8
3 changed files with 51 additions and 18 deletions
--- a/lib/http/middleware.go
+++ b/lib/http/middleware.go
@@ -173,14 +173,10 @@ func MiddlewareCORS(allowOrigin string) Middleware {

 			if allowOrigin != "" {
 				w.Header().Add("Access-Control-Allow-Origin", allowOrigin)
-			} else {
-				w.Header().Add("Access-Control-Allow-Origin", PublicURL(r))
+				w.Header().Add("Access-Control-Request-Method", "POST, OPTIONS, GET, HEAD")
+				w.Header().Add("Access-Control-Allow-Headers", "authorization, Content-Type")
 			}

-			// echo back access control headers client needs
-			w.Header().Add("Access-Control-Request-Method", "POST, OPTIONS, GET, HEAD")
-			w.Header().Add("Access-Control-Allow-Headers", "authorization, Content-Type")
-
 			if r.Method == "OPTIONS" {
 				w.WriteHeader(http.StatusOK)
 				return