From 4a4950fe411d133bcf8ba07f769f4c6c02331881 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Wed, 2 Aug 2023 20:41:21 -0700
Subject: [PATCH] fix: honor requested allow origin settings properly (#17789)

fixes #17778
---
 .github/workflows/vulncheck.yml | 2 +-
 cmd/api-router.go               | 7 -------
 cmd/generic-handlers.go         | 5 +++++
 cmd/server_test.go              | 2 +-
 4 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/vulncheck.yml b/.github/workflows/vulncheck.yml
index c6f443100..783181580 100644
--- a/.github/workflows/vulncheck.yml
+++ b/.github/workflows/vulncheck.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.19.11
+          go-version: 1.19.12
           check-latest: true
       - name: Get official govulncheck
         run: go install golang.org/x/vuln/cmd/govulncheck@latest
diff --git a/cmd/api-router.go b/cmd/api-router.go
index 3bd9eb7d2..d4e118e1c 100644
--- a/cmd/api-router.go
+++ b/cmd/api-router.go
@@ -545,12 +545,5 @@ func corsHandler(handler http.Handler) http.Handler {
 		ExposedHeaders:   commonS3Headers,
 		AllowCredentials: true,
 	}
-	for _, origin := range globalAPIConfig.getCorsAllowOrigins() {
-		if origin == "*" {
-			opts.AllowOriginFunc = nil
-			opts.AllowedOrigins = globalAPIConfig.getCorsAllowOrigins()
-			break
-		}
-	}
 	return cors.New(opts).Handler(handler)
 }
diff --git a/cmd/generic-handlers.go b/cmd/generic-handlers.go
index 506e8c561..50f158b6d 100644
--- a/cmd/generic-handlers.go
+++ b/cmd/generic-handlers.go
@@ -443,6 +443,11 @@ func setRequestValidityMiddleware(h http.Handler) http.Handler {
 // is obtained from centralized etcd configuration service.
 func setBucketForwardingMiddleware(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if origin := w.Header().Get("Access-Control-Allow-Origin"); origin == "null" {
+			// This is a workaround change to ensure that "Origin: null"
+			// incoming request to a response back as "*" instead of "null"
+			w.Header().Set("Access-Control-Allow-Origin", "*")
+		}
 		if globalDNSConfig == nil || !globalBucketFederation ||
 			guessIsHealthCheckReq(r) || guessIsMetricsReq(r) ||
 			guessIsRPCReq(r) || guessIsLoginSTSReq(r) || isAdminReq(r) {
diff --git a/cmd/server_test.go b/cmd/server_test.go
index f81c82a7d..8463593bc 100644
--- a/cmd/server_test.go
+++ b/cmd/server_test.go
@@ -219,7 +219,7 @@ func (s *TestSuiteCommon) TestBucketSQSNotificationWebHook(c *check) {
 func (s *TestSuiteCommon) TestCors(c *check) {
 	expectedMap := http.Header{}
 	expectedMap.Set("Access-Control-Allow-Credentials", "true")
-	expectedMap.Set("Access-Control-Allow-Origin", "*")
+	expectedMap.Set("Access-Control-Allow-Origin", "http://foobar.com")
 	expectedMap["Access-Control-Expose-Headers"] = []string{
 		"Date",
 		"Etag",