Users currently cannot allow methods that are not uppercase

The Fetch standard [states](https://fetch.spec.whatwg.org/#concept-method-normalize) that methods are, in general, case-sensitive. For instance, `PATCH` is distinct from `patch`.

However, Gin's CORS middleware [currently](https://github.com/gin-contrib/cors/blob/c1983b27ecf753efe85d970c701af4eb51b46f12/utils.go#L35) uppercases the allowed methods before writing the result in the `Access-Control-Allow-Methods`. Therefore, Gin's CORS middleware prevents its users from allowing methods that are not already uppercase.

Accordingly, two currently passing test cases, [`TestGeneratePreflightHeaders_AllowMethods`](https://github.com/gin-contrib/cors/blob/c1983b27ecf753efe85d970c701af4eb51b46f12/cors_test.go#L171) and [`TestPassesAllowOrigins`](https://github.com/gin-contrib/cors/blob/c1983b27ecf753efe85d970c701af4eb51b46f12/cors_test.go#L265), should actually fail, because their assertions on `w.Header().Get("Access-Control-Allow-Methods")` are incorrect.

FWIW, this [undue case-normalisation](https://jub0bs.com/posts/2023-02-08-fearless-cors/#violation-of-the-case-sensitivity-of-method-names) can be deplored in other CORS middleware libraries and [it tends to trip users up](https://stackoverflow.com/questions/55250297/problem-with-patch-method-and-cors-preflight-request). Gin should fixed this.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Users currently cannot allow methods that are not uppercase #121

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development