Allow null/empty origin header

c2h5oh · c2h5oh · commit 5f89c00c6b93 · 2025-06-26T13:20:00.000-04:00
diff --git a/cors.go b/cors.go
@@ -210,7 +210,10 @@ func AllowAll() *Cors {
 // as necessary.
 func (c *Cors) Handler(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method == http.MethodOptions && r.Header.Get("Access-Control-Request-Method") != "" && r.Header.Get("Origin") != "" {
+		// null or empty Origin header value is acceptable and it is considered having that header
+		_, hasOriginHeader := r.Header["Origin"]
+
+		if r.Method == http.MethodOptions && r.Header.Get("Access-Control-Request-Method") != "" && hasOriginHeader {
 			c.logf("Handler: Preflight request")
 			c.handlePreflight(w, r)
 			// Preflight requests are standalone and should stop the chain as some other
@@ -246,10 +249,6 @@ func (c *Cors) handlePreflight(w http.ResponseWriter, r *http.Request) {
 	headers.Add("Vary", "Access-Control-Request-Method")
 	headers.Add("Vary", "Access-Control-Request-Headers")
 
-	if origin == "" {
-		c.logf("Preflight aborted: empty origin")
-		return
-	}
 	if !c.isOriginAllowed(r, origin) {
 		c.logf("Preflight aborted: origin '%s' not allowed", origin)
 		return
@@ -295,10 +294,7 @@ func (c *Cors) handleActualRequest(w http.ResponseWriter, r *http.Request) {
 
 	// Always set Vary, see https://github.com/rs/cors/issues/10
 	headers.Add("Vary", "Origin")
-	if origin == "" {
-		c.logf("Actual request no headers added: missing origin")
-		return
-	}
+
 	if !c.isOriginAllowed(r, origin) {
 		c.logf("Actual request no headers added: origin '%s' not allowed", origin)
 		return
