1 files changed, 24 insertions, 3 deletions

diff --git a/vendor/github.com/gorilla/handlers/cors.go b/vendor/github.com/gorilla/handlers/cors.go
index 1f92d1a..16efb8a 100644
--- a/vendor/github.com/gorilla/handlers/cors.go
+++ b/vendor/github.com/gorilla/handlers/cors.go
@@ -48,7 +48,10 @@ const (
 func (ch *cors) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	origin := r.Header.Get(corsOriginHeader)
 	if !ch.isOriginAllowed(origin) {
-		ch.h.ServeHTTP(w, r)
+		if r.Method != corsOptionMethod || ch.ignoreOptions {
+			ch.h.ServeHTTP(w, r)
+		}
+
 		return
 	}
 
@@ -110,7 +113,21 @@ func (ch *cors) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set(corsVaryHeader, corsOriginHeader)
 	}
 
-	w.Header().Set(corsAllowOriginHeader, origin)
+	returnOrigin := origin
+	if ch.allowedOriginValidator == nil && len(ch.allowedOrigins) == 0 {
+		returnOrigin = "*"
+	} else {
+		for _, o := range ch.allowedOrigins {
+			// A configuration of * is different than explicitly setting an allowed
+			// origin. Returning arbitrary origin headers an an access control allow
+			// origin header is unsafe and is not required by any use case.
+			if o == corsOriginMatchAll {
+				returnOrigin = "*"
+				break
+			}
+		}
+	}
+	w.Header().Set(corsAllowOriginHeader, returnOrigin)
 
 	if r.Method == corsOptionMethod {
 		return
@@ -149,7 +166,7 @@ func parseCORSOptions(opts ...CORSOption) *cors {
 	ch := &cors{
 		allowedMethods: defaultCorsMethods,
 		allowedHeaders: defaultCorsHeaders,
-		allowedOrigins: []string{corsOriginMatchAll},
+		allowedOrigins: []string{},
 	}
 
 	for _, option := range opts {
@@ -297,6 +314,10 @@ func (ch *cors) isOriginAllowed(origin string) bool {
 		return ch.allowedOriginValidator(origin)
 	}
 
+	if len(ch.allowedOrigins) == 0 {
+		return true
+	}
+
 	for _, allowedOrigin := range ch.allowedOrigins {
 		if allowedOrigin == origin || allowedOrigin == corsOriginMatchAll {
 			return true