bypass when same origin

config.go

@@ -36,6 +36,12 @@ func (cors *cors) applyCors(c *gin.Context) {
 		// request is not a CORS request
 		return
 	}
+	host := c.Request.Header.Get("Host")
+	if origin == "http://"+host || origin == "https://"+host {
+		// request is not a CORS request but have origin header.
+		// for example, use fetch api
+		return
+	}
 	if !cors.validateOrigin(origin) {
 		c.AbortWithStatus(http.StatusForbidden)
 		return

cors_test.go

@@ -40,6 +40,19 @@ func performRequest(r http.Handler, method, origin string) *httptest.ResponseRec
 	return w
 }
 
+func performRequestWithHeaders(r http.Handler, method, origin string, headers map[string]string) *httptest.ResponseRecorder {
+	req, _ := http.NewRequest(method, "/", nil)
+	for k, v := range headers {
+		req.Header.Set(k, v)
+	}
+	if len(origin) > 0 {
+		req.Header.Set("Origin", origin)
+	}
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+	return w
+}
+
 func TestConfigAddAllow(t *testing.T) {
 	config := Config{}
 	config.AddAllowMethods("POST")
@@ -231,6 +244,13 @@ func TestPassesAllowedOrigins(t *testing.T) {
 	assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
 	assert.Empty(t, w.Header().Get("Access-Control-Expose-Headers"))
 
+	// no CORS request, origin == host
+	w = performRequestWithHeaders(router, "GET", "http://facebook.com", map[string]string{"Host": "facebook.com"})
+	assert.Equal(t, "get", w.Body.String())
+	assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin"))
+	assert.Empty(t, w.Header().Get("Access-Control-Allow-Credentials"))
+	assert.Empty(t, w.Header().Get("Access-Control-Expose-Headers"))
+
 	// allowed CORS request
 	w = performRequest(router, "GET", "http://google.com")
 	assert.Equal(t, "get", w.Body.String())