Listing Origin as an allowed request header is unnecessary

The middleware lists `Origin` as an allowed request header (see [here](https://github.com/go-chi/cors/blob/76ca79794e02cd16a20fc57320d4930cacf591a2/cors.go#L161) and [here](https://github.com/go-chi/cors/blob/76ca79794e02cd16a20fc57320d4930cacf591a2/cors.go#L164)). However, listing `Origin` is never necessary because that header is added to requests by the browser, [never by the client](https://fetch.spec.whatwg.org/#forbidden-request-header).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Listing Origin as an allowed request header is unnecessary #26

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Listing Origin as an allowed request header is unnecessary #26

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions