Add a warning when allowCredentials is used with wildcard origin (#56)

Fixes: #55
rs · May 24, 2018 · 694cf2a · 694cf2a
1 parent ca016a0
commit 694cf2a
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/cors.go b/cors.go
@@ -159,6 +159,11 @@ func New(options Options) *Cors {
 		c.allowedMethods = convert(options.AllowedMethods, strings.ToUpper)
 	}
 
+	if c.allowedOriginsAll && c.allowCredentials {
+		// See https://github.com/rs/cors/issues/55
+		log.Print("[cors] WARNING: unsafe configuration: AllowOrigin * and AllowCredientials true combined")
+	}
+
 	return c
 }
 
@@ -174,7 +179,7 @@ func AllowAll() *Cors {
 		AllowedOrigins:   []string{"*"},
 		AllowedMethods:   []string{"HEAD", "GET", "POST", "PUT", "PATCH", "DELETE"},
 		AllowedHeaders:   []string{"*"},
-		AllowCredentials: true,
+		AllowCredentials: false,
 	})
 }