Skip to content

fix: prevent duplicate Access-Control-Allow-Origin header when origin…#188

Open
mkrou wants to merge 2 commits intofriendsofgo:mainfrom
mkrou:fix-cors-empty-origins
Open

fix: prevent duplicate Access-Control-Allow-Origin header when origin…#188
mkrou wants to merge 2 commits intofriendsofgo:mainfrom
mkrou:fix-cors-empty-origins

Conversation

@mkrou
Copy link

@mkrou mkrou commented Aug 1, 2025

…s is empty

When CORS origins configuration is empty, disable CORS headers to avoid conflicts with proxied server's CORS headers. This prevents duplicate Access-Control-Allow-Origin headers when killgrave is used as a proxy.

  • Add AllowedOriginValidator that returns false when origins is empty
  • Add comprehensive tests for PrepareAccessControl function
  • Maintain backward compatibility for non-empty origins configuration

Fixes issue where empty origins list would cause gorilla/handlers to add default '*' origin header, conflicting with proxied server headers.

mkrou added 2 commits August 1, 2025 16:13
@mkrou
fix: prevent duplicate Access-Control-Allow-Origin header when origin…
10e2349 
…s is empty

When CORS origins configuration is empty, disable CORS headers to avoid
conflicts with proxied server's CORS headers. This prevents duplicate
Access-Control-Allow-Origin headers when killgrave is used as a proxy.

- Add AllowedOriginValidator that returns false when origins is empty
- Add comprehensive tests for PrepareAccessControl function
- Maintain backward compatibility for non-empty origins configuration

Fixes issue where empty origins list would cause gorilla/handlers to add
default '*' origin header, conflicting with proxied server headers.
@mkrou
feat(docker): add image for docker compose build
15b2d17
@joanlopez
Copy link
Member

joanlopez commented Aug 5, 2025

Hi @mkrou,

Thanks for your contribution! 🙌🏻

Could you please split this PR into two, separating the Dockerfile addition?
Also, I'd appreciate if in the one specific for the new Dockerfile, you can detail why it's needed, etc.

joanlopez
joanlopez reviewed Aug 5, 2025
View reviewed changes
internal/server/http/server_test.go
}
}

func TestPrepareAccessControl(t *testing.T) {
Copy link
Member

@joanlopez joanlopez Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In addition to this, could you please write an "integration" test to make sure Killgrave behaves as expected? I'd also help understanding why we need it.

Thanks! 🙇🏻

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joanlopez joanlopez joanlopez left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mkrou @joanlopez