From f4449440f80c7e3de795d859920209359f0cc90b Mon Sep 17 00:00:00 2001
From: yuudi <yuudi@users.noreply.github.com>
Date: Sat, 29 Jul 2023 02:58:37 +0000
Subject: [PATCH] http: CORS should not be send if not set (#6433)

---
 fs/rc/rcserver/rcserver.go  |  5 ----
 lib/http/middleware.go      |  8 ++----
 lib/http/middleware_test.go | 56 ++++++++++++++++++++++++++++++++-----
 3 files changed, 51 insertions(+), 18 deletions(-)

diff --git a/fs/rc/rcserver/rcserver.go b/fs/rc/rcserver/rcserver.go
index 8afd871ce..4ded73a6c 100644
--- a/fs/rc/rcserver/rcserver.go
+++ b/fs/rc/rcserver/rcserver.go
@@ -212,11 +212,6 @@ func writeError(path string, in rc.Params, w http.ResponseWriter, err error, sta
 func (s *Server) handler(w http.ResponseWriter, r *http.Request) {
 	path := strings.TrimLeft(r.URL.Path, "/")
 
-	// echo back access control headers client needs
-	//reqAccessHeaders := r.Header.Get("Access-Control-Request-Headers")
-	w.Header().Add("Access-Control-Request-Method", "POST, OPTIONS, GET, HEAD")
-	w.Header().Add("Access-Control-Allow-Headers", "authorization, Content-Type")
-
 	switch r.Method {
 	case "POST":
 		s.handlePost(w, r, path)
diff --git a/lib/http/middleware.go b/lib/http/middleware.go
index 6deba60f6..07aef96ac 100644
--- a/lib/http/middleware.go
+++ b/lib/http/middleware.go
@@ -173,14 +173,10 @@ func MiddlewareCORS(allowOrigin string) Middleware {
 
 			if allowOrigin != "" {
 				w.Header().Add("Access-Control-Allow-Origin", allowOrigin)
-			} else {
-				w.Header().Add("Access-Control-Allow-Origin", PublicURL(r))
+				w.Header().Add("Access-Control-Request-Method", "POST, OPTIONS, GET, HEAD")
+				w.Header().Add("Access-Control-Allow-Headers", "authorization, Content-Type")
 			}
 
-			// echo back access control headers client needs
-			w.Header().Add("Access-Control-Request-Method", "POST, OPTIONS, GET, HEAD")
-			w.Header().Add("Access-Control-Allow-Headers", "authorization, Content-Type")
-
 			if r.Method == "OPTIONS" {
 				w.WriteHeader(http.StatusOK)
 				return
diff --git a/lib/http/middleware_test.go b/lib/http/middleware_test.go
index f8ac196b9..759528d3b 100644
--- a/lib/http/middleware_test.go
+++ b/lib/http/middleware_test.go
@@ -332,13 +332,6 @@ func TestMiddlewareCORS(t *testing.T) {
 		name string
 		http Config
 	}{
-		{
-			name: "EmptyOrigin",
-			http: Config{
-				ListenAddr:  []string{"127.0.0.1:0"},
-				AllowOrigin: "",
-			},
-		},
 		{
 			name: "CustomOrigin",
 			http: Config{
@@ -389,6 +382,55 @@ func TestMiddlewareCORS(t *testing.T) {
 	}
 }
 
+func TestMiddlewareCORSEmptyOrigin(t *testing.T) {
+	servers := []struct {
+		name string
+		http Config
+	}{
+		{
+			name: "EmptyOrigin",
+			http: Config{
+				ListenAddr:  []string{"127.0.0.1:0"},
+				AllowOrigin: "",
+			},
+		},
+	}
+
+	for _, ss := range servers {
+		t.Run(ss.name, func(t *testing.T) {
+			s, err := NewServer(context.Background(), WithConfig(ss.http))
+			require.NoError(t, err)
+			defer func() {
+				require.NoError(t, s.Shutdown())
+			}()
+
+			expected := []byte("data")
+			s.Router().Mount("/", testEchoHandler(expected))
+			s.Serve()
+
+			url := testGetServerURL(t, s)
+
+			client := &http.Client{}
+			req, err := http.NewRequest("GET", url, nil)
+			require.NoError(t, err)
+
+			resp, err := client.Do(req)
+			require.NoError(t, err)
+			defer func() {
+				_ = resp.Body.Close()
+			}()
+
+			require.Equal(t, http.StatusOK, resp.StatusCode, "should return ok")
+
+			testExpectRespBody(t, resp, expected)
+
+			for _, key := range _testCORSHeaderKeys {
+				require.NotContains(t, resp.Header, key, "CORS headers should not be sent")
+			}
+		})
+	}
+}
+
 func TestMiddlewareCORSWithAuth(t *testing.T) {
 	authServers := []struct {
 		name string