Not sure if this intended behavior or a regression:
I have had code working with echo v4 like
r := e.Group("/myroute", middleware.CORSWithConfig(middleware.CORSConfig{
AllowOrigins: []string{
"http://localhost:3000", // local frontend
"https://mydomain.de",
},
AllowHeaders: []string{echo.HeaderOrigin, echo.HeaderContentType, echo.HeaderAccept, echo.HeaderAuthorization},
}))
r.GET("", controller.GetStuff)
...now after upgrading to v5 I suddenly experience CORS errors
Access to XMLHttpRequest at XX from origin 'https://mydomain.de' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
and indeed the header is missing.
A fix was to explicitly add routes for OPTIONS on all groups with CORS middleware
func addPreflight(g *echo.Group) {
h := func(c *echo.Context) error {
return c.NoContent(http.StatusNoContent)
}
g.OPTIONS("", h)
g.OPTIONS("/", h)
g.OPTIONS("/*", h)
}further investigation showed the CORS middleware HandlerFunc isnt invoked at all for OPTIONS-method if not explicitly added to routes in case CORS is added to a group.
known good version: v4.15.1
however I didnt see mentions of that in migration guide. did I miss them? is this new expected behavior?
Not sure if this intended behavior or a regression:
I have had code working with echo v4 like
now after upgrading to v5 I suddenly experience CORS errors
and indeed the header is missing.
A fix was to explicitly add routes for
OPTIONSon all groups with CORS middlewarefurther investigation showed the CORS middleware HandlerFunc isnt invoked at all for OPTIONS-method if not explicitly added to routes in case CORS is added to a group.
known good version:
v4.15.1however I didnt see mentions of that in migration guide. did I miss them? is this new expected behavior?