Cors error

[juancer]

Hello,

I'm having problems with CORS on my backend with the PUT request. This is my conf:

r := gin.Default()
	config := cors.DefaultConfig()
	config.AllowOrigins = []string{"https://domain1.es", "https://www.domain1.es", "https://domain2.es", "https://www.domain2.es", "http://ip", "https://ip"}
	config.AllowCredentials = true
	config.AllowMethods = []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}
	config.AllowHeaders = []string{"Origin", "Content-Length", "Content-Type", "Authorization", "user-agent", "X-Requested-With", "Token"}
	config.MaxAge = 12 * time.Hour
	config.AllowOriginFunc = func(origin string) bool {
		return origin == "https://domain1.es, https://domain2.es, https://www.domain1.es, https://www.domain2.es, http://ip, https://ip"
	}
	r.Use(cors.New(config))

I'm also trying to manage my option request and checking the headers to print them on my console:

r.OPTIONS("/service", func(c *gin.Context) {
		c.Header("Access-Control-Allow-Origin", "https://domain1.es, https://domain2.es, https://www.domain1.es, https://www.domain2.es, http://ip, https://ip")
		c.Header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
		c.Header("Access-Control-Allow-Headers", "Authorization, Content-Type, Origin, Content-Length, user-agent, X-Requested-With, Token")
		c.Header("AllowCredentials", "true")
		fmt.Println("Headers from the request:")

		origin := c.Request.Header.Get("Origin")
		if !isValidOrigin(origin, config.AllowOrigins) {
			c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid CORS origin"})
			return
		}
		c.JSON(http.StatusNoContent, nil)
	})

However, when I try to call with the put, I'm getting 403 error on my browser and this message: "CORS missing allow origin" with the PUT request, and, in my console, I only get:
[GIN] 2024/02/05 - 14:23:17 | 204 | 63.98µs | ip | OPTIONS "/service"
(this is the reason because I'm adding the ip in the allow origins)

I have:
GET /service
PUT /service
DELETE /service
OPTIONS /service -> to manage this preflight request

Here is a playground with the full example

Could someone help me to clarify my situation?

Thanks,

[dbhoot]

What's the origin your request is coming from? Most likely, the origin doesn't match and the cors middleware is aborting.

[jub0bs]

The callback assigned to AllowOriginFunc is incorrect because

https://domain1.es, https://domain2.es, https://www.domain1.es, https://www.domain2.es, http://ip, https://ip

is not a valid Web-origin value. And because that field, when set, takes precedence over AllowOrigins, the resulting CORS middleware is dysfunctional. cors.New could alert you to such misconfigurations by returning an error result, but it sadly doesn't. To fix your issue, just get rid of AllowOriginFunc in your Config struct.