🚀 [Feature]: stop dangerously bypassing the wildcard exception (CORS)

### Feature Description

Fiber's CORS middleware actively bypasses the so-called [_wildcard exception_][wildcard-exception]: if developers configure their CORS middleware to allow credentials and specify the wildcard as an allowed origin, the resulting middleware unconditionally reflects the value of the request's `Origin` header in the `Access-Control-Allow-Origin` response header.

This is insecure insofar as it exposes users to [cross-origin attacks][portswigger] that can be mounted from any origin.

For information, a similar issue was reported to (and subsequently fixed by) other Web frameworks/libraries:

- [Go Chi](https://github.com/go-chi/cors/pull/6)
- [rs/cors](https://github.com/rs/cors/issues/55)

[portswigger]: https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties
[wildcard-exception]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#credentialed_requests_and_wildcards

### Additional Context (optional)

### Steps to reproduce

1. Run `mkdir wildcardcraziness && cd $_`.
2. Save the program below to `main.go`.
3. Run `go mod init whatever && go mod tidy`.
4. Run `go run main.go`.
5. Run `curl -sD - -o /dev/null -H "Origin: https://attacker.org" localhost:8081/hello`.

### Expected behaviour

Perhaps the following:

```shell
curl -sD - -o /dev/null \
  -H "Origin: https://attacker.org" \
  localhost:8081/hello
```
```http
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
-snip-
```

Ideally, though, the resulting middleware should not be built at all, since it is dysfunctional. More about this in [my latest blog post][post].

### Actual behaviour

```shell
curl -sD - -o /dev/null \
  -H "Origin: https://attacker.org" \
  localhost:8081/hello
```
```http
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://attacker.org
-snip-
```

Note the unconditional reflection of the request's `Origin` header value (`https://attacker.org`) in the `Access-Control-Allow-Origin` response header.

[post]: https://jub0bs.com/posts/2023-02-08-fearless-cors/#6-treat-cors-as-a-compilation-target

### Code Snippet

```go
package main

import (
	"log"

	"github.com/gofiber/fiber/v2"
	"github.com/gofiber/fiber/v2/middleware/cors"
)

func main() {
	app := fiber.New()
	app.Use(cors.New(cors.Config{
		AllowOrigins:     "*",
		AllowCredentials: true,
	}))
	app.Get("/hello", hello)
	if err := app.Listen(":8081"); err != nil {
		log.Fatal(err)
	}
}

func hello(c *fiber.Ctx) error {
	return c.SendString("Hello, World!")
}
```


### Checklist:

- [X] I agree to follow Fiber's [Code of Conduct](https://github.com/gofiber/fiber/blob/master/.github/CODE_OF_CONDUCT.md).
- [X] I have checked for existing issues that describe my suggestion prior to opening this one.
- [X] I understand that improperly formatted feature requests may be closed without explanation.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

🚀 [Feature]: stop dangerously bypassing the wildcard exception (CORS) #2338

Feature Description

Additional Context (optional)

Steps to reproduce

Expected behaviour

Actual behaviour

Code Snippet

Checklist:

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

🚀 [Feature]: stop dangerously bypassing the wildcard exception (CORS) #2338

Description

Feature Description

Additional Context (optional)

Steps to reproduce

Expected behaviour

Actual behaviour

Code Snippet

Checklist:

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions