Why does this code panic when trying to set AllowedOrigins?

[jarrodhroberson]

Using the following code I get a panic

func CORS() gin.HandlerFunc {
	allowedOrigins := []string{"https://example.com", "https://www.example.com"}
	if v, ok := os.LookupEnv("ALLOW_LOCAL_HOST"); ok {
		allowedOrigins = append(allowedOrigins, v)
	}
	config := cors.Config{
		AllowOrigins:     allowedOrigins,
	}

	return cors.New(config)
}

I get this panic

ERROR 2025-03-24T02:41:34.271704Z panic: bad origin: origins must contain '*' or include http://,https://

but if I slightly change it to

	config := cors.Config{
		AllowOrigins: []string{"https://example.com", "https://www.example.com"},
	}

it works as expected?

Is this a bug?

If not What am I missing here?

[bound2]

In your first code example, you are appending value to slice from env variable ALLOW_LOCAL_HOST.

if v, ok := os.LookupEnv("ALLOW_LOCAL_HOST"); ok {
	allowedOrigins = append(allowedOrigins, v)
}

It's likely that the value read from there is malformed url.

[jarrodhroberson]

if it is missing something why not tell the user what caused the error? `panic: bad origin: <>BAD ORIGIN HERE>>; origins must contain '*' or include http://,https://)` instead of the lazy "oh crap something happened" message it is spittng out. Instead we get a MSDOS era "FILE NOT FOUND" error message.

…

On Fri, Mar 28, 2025 at 1:54 AM bound2 ***@***.***> wrote: In your first code example, you are appending value to slice from env variable ALLOW_LOCAL_HOST. if v, ok := os.LookupEnv("ALLOW_LOCAL_HOST"); ok { allowedOrigins = append(allowedOrigins, v) } It's likely that the value read from there is malformed url. — Reply to this email directly, view it on GitHub <#4195 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABF77ZAWI5NARJAMJQKPTL2WTIXTAVCNFSM6AAAAABZTZEDXWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONRQGI3TANZRGM> . You are receiving this because you authored the thread.Message ID: ***@***.***> [image: bound2]*bound2* left a comment (gin-gonic/gin#4195) <#4195 (comment)> In your first code example, you are appending value to slice from env variable ALLOW_LOCAL_HOST. if v, ok := os.LookupEnv("ALLOW_LOCAL_HOST"); ok { allowedOrigins = append(allowedOrigins, v) } It's likely that the value read from there is malformed url. — Reply to this email directly, view it on GitHub <#4195 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABF77ZAWI5NARJAMJQKPTL2WTIXTAVCNFSM6AAAAABZTZEDXWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONRQGI3TANZRGM> . You are receiving this because you authored the thread.Message ID: ***@***.***>

-- Jarrod Roberson 678.551.2852

[kkoehler]

I've added a pull request to the cors contrib package: gin-contrib/cors#167