breaking change with returned Access-Control-Allow-Origin header

[cainlevy]

Prior to #116, specifying AllowedOriginValidator acted as an override to AllowedOrigins. Afterwards, the same configuration will return Access-Control-Allow-Origin: * because of the default value for allowedOrigins.

// before: will only reflect allowed origins
// after: will reflect "*"
gorilla.CORS(
  gorilla.AllowedOriginValidator(myValidator)
)

Fixing this requires specifying a blank AllowedOrigins to override the default value:

gorilla.CORS(
  gorilla.AllowedOrigins([]string{})
  gorilla.AllowedOriginValidator(myValidator)
)

[cainlevy]

I think the difference between gorilla/handlers and the other examples listed in #116 is that gorilla/handlers treated AllowedOriginValidator as an override and ignored the default * configuration.

It should be possible to specify AllowedOriginValidator(myValidator) alongside AllowCredentials(). It should not be possible to specify AllowedOrigins([]string{"*"}) alongside AllowCredentials().

[faryon93]

+1

[kisielk]

@elithrar thoughts on this one? It's been a while since I've looked at CORS details

[elithrar]

Let me take a look this weekend & assess.