CORS: reject requests with 401 for non-preflight request with not matching origin header (#2732)

aldas · web-flow · commit ee3e1297788e · 2025-01-07T22:06:28.000+02:00
diff --git a/middleware/cors.go b/middleware/cors.go
@@ -262,7 +262,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 			// Origin not allowed
 			if allowOrigin == "" {
 				if !preflight {
-					return next(c)
+					return echo.ErrUnauthorized
 				}
 				return c.NoContent(http.StatusNoContent)
 			}
diff --git a/middleware/cors_test.go b/middleware/cors_test.go
@@ -525,7 +525,7 @@ func TestCorsHeaders(t *testing.T) {
 			allowedOrigin: "http://example.com",
 			method:        http.MethodGet,
 			expected:      false,
-			expectStatus:  http.StatusOK,
+			expectStatus:  http.StatusUnauthorized,
 		},
 		{
 			name:          "non-preflight request, allow specific origin, matching origin header = CORS logic done",

Original file line number	Diff line number	Diff line change
`@@ -262,7 +262,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {`
`262`	`262`	`// Origin not allowed`
`263`	`263`	`if allowOrigin == "" {`
`264`	`264`	`if !preflight {`
`265`		`- return next(c)`
	`265`	`+ return echo.ErrUnauthorized`
`266`	`266`	`}`
`267`	`267`	`return c.NoContent(http.StatusNoContent)`
`268`	`268`	`}`
Original file line number	Diff line number	Diff line change
`@@ -525,7 +525,7 @@ func TestCorsHeaders(t *testing.T) {`
`525`	`525`	`allowedOrigin: "http://example.com",`
`526`	`526`	`method: http.MethodGet,`
`527`	`527`	`expected: false,`
`528`		`- expectStatus: http.StatusOK,`
	`528`	`+ expectStatus: http.StatusUnauthorized,`
`529`	`529`	`},`
`530`	`530`	`{`
`531`	`531`	`name: "non-preflight request, allow specific origin, matching origin header = CORS logic done",`