It's kinda ridiculous to try and roll our own CORS implementation. We should use https://github.com/rs/cors. Important note:
Allow * With Credentials Security Protection
This library has been modified to avoid a well known security issue when configured with AllowedOrigins to * and AllowCredentials to true. Such setup used to make the library reflects the request Origin header value, working around a security protection embedded into the standard that makes clients to refuse such configuration. This behavior has been removed with rs/cors#55 and rs/cors#57.
If you depend on this behavior and understand the implications, you can restore it using the AllowOriginFunc with func(origin string) {return true}.
Please refer to rs/cors#55 for more information about the security implications.
It's kinda ridiculous to try and roll our own CORS implementation. We should use https://github.com/rs/cors. Important note: