From 02e433b2053cd1deec6fddfd3765ddaeb65238e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=81ukasz=20Mierzwa?= <l.mierzwa@gmail.com>
Date: Sat, 29 Sep 2018 10:30:30 +0100
Subject: [PATCH] fix(cors): change Access-Control-Allow-Origin validation to
 work in dev

---
 main.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/main.go b/main.go
index dfb2d7c4e..2558e8b2a 100644
--- a/main.go
+++ b/main.go
@@ -63,7 +63,17 @@ func setupRouter(router *gin.Engine) {
 	// so we end up with /static/static/js
 	router.Use(static.Serve(getViewURL("/static/static/js/"), staticSrcFileSystem))
 	router.Use(cors.New(cors.Config{
-		AllowAllOrigins:  true,
+		// This works different than AllowAllOrigins=true
+		// 1. AllowAllOrigins will cause responses to include
+		//    'Access-Control-Allow-Origin: *' header in all responses
+		// 2. Setting AllowOriginFunc allows to validate origin URI and if it passes
+		//    the response will include 'Access-Control-Allow-Origin: $origin'
+		//    So the logic is the same, but implementation is different.
+		// We need second behavior since setting `credentials: include` on JS
+		// fetch() will fail with 'Access-Control-Allow-Origin: *' responses
+		AllowOriginFunc: func(origin string) bool {
+			return true
+		},
 		AllowCredentials: true,
 		AllowMethods:     []string{"GET", "POST", "DELETE"},
 		AllowHeaders:     []string{"Origin"},