0

I'm using golang gin and I got this error

enter image description here

I know this is a CORS error and I fixed it in NodeJS but this time I'm working with golang and hence not able to fix it.

I got around this package https://github.com/gin-contrib/cors and modified my code

r := gin.Default()
r.Use(cors.New(cors.Config{
    AllowOrigins:     []string{"http://localhost:5173"},
    AllowMethods:     []string{"PUT", "PATCH", "POST"},
    AllowHeaders:     []string{"Origin"},
    ExposeHeaders:    []string{"Content-Length", "Content-Type"},
    AllowFiles:       true,
    AllowCredentials: true,
    AllowOriginFunc: func(origin string) bool {
        return origin == "http://localhost:5173"
    },
}))

`

But the thing is that this error still coming up.

shadyyx
  • 15,825
  • 6
  • 60
  • 95
Sushant Dhiman
  • 29
  • 3
  • 2
    In your server you have: `AllowHeaders: []string{"Origin"}`. The browser error says: `Request header field content-type is not allowed`. The browser is correct, your server CORS setting allows only `Origin` and no other header in the request. – mkopriva Aug 20 '23 at 15:44
  • 1
    As per Mozilla, Access-Control-Allow-Headers is used to tell which headers can be sent during a request while Access-Control-Expose-Headers is used to tell which headers are available for use by scripts in the browser – aksh02 Aug 20 '23 at 20:48
  • [Please do not upload images of code/data/errors.](//meta.stackoverflow.com/q/285551) – jub0bs Aug 21 '23 at 14:24
  • Is your problem solved? If so, please accept one of the two answers you've gotten so far. Otherwise, please leave some feedback below the two answers. – jub0bs Aug 29 '23 at 20:01

2 Answers2

1

the browser is complaining because the server doesn't allow, in the Allowed Headers, the header 'Content-type'. add this header in the list of allowed headers then the CORS will stop complain.

Francesco
  • 171
  • 8
0

You seem confused about the purpose of the ExposeHeaders field in that cors.Config struct. I can understand your confusion: neither the field name—ExposeResponseHeaders would, at the expense of conciseness, arguably be clearer—nor its documentation are particularly elucidating...

The ExposeHeaders struct field dictates which response header names will be listed in the Access-Control-Expose-Headers header, which instruct the browser to let the client access the values of those response headers. But, AFAICT, that's not what you want to do here. Instead, you want to allow requests that include a header named Content-Type. To do that, you need to modify the value of the AllowHeaders struct field in your CORS config like so:

AllowHeaders: []string{"Content-Type"},

Note that, per the Fetch standard, allowing Origin as a request header in your CORS configuration is never necessary, simply because that header is managed by the browser rather than by the client.

Also, your use of the AllowOriginFunc is redundant. AllowOrigins is enough for your current needs.

Finally, you may find jub0bs/fcors somewhat easier to configure than gin-contrib/cors (here is an example), but I'm of course biased.

jub0bs
  • 60,866
  • 25
  • 183
  • 186