Listing Origin as an allowed request header is unnecessary

The middleware lists `Origin` as an allowed request header (see [here](https://github.com/rs/cors/blob/e90f167479505c4dbe1161306c3c977f162c1442/cors.go#L166) and [here](https://github.com/rs/cors/blob/e90f167479505c4dbe1161306c3c977f162c1442/cors.go#L169)). However, listing `Origin` is never necessary because that header is added to requests by the browser, [never by the client](https://fetch.spec.whatwg.org/#forbidden-request-header). You can safely drop `Origin` from that list.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Listing Origin as an allowed request header is unnecessary #151

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Listing Origin as an allowed request header is unnecessary #151

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions