Before creating a GitHub issue it seemed like a good idea to post here.

We had a recent situation where one of our APIs set Access-Control-Allow-Origin equal to * to allow our front-end team to locally develop against the API directly (rather than through Kong). Regretfully this code wasn’t conditional based on the environment. However, I was shocked to discover that even with the API sitting behind Kong and the Cors plugin configured the * was still being proxied/returned.

Looking at the plugin’s configure_origin() here it became clear that if it finds a match it sets Access-Control-Allow-Origin to the valid origin, but if it doesn’t find a match it does nothing. Doing nothing allows the * to get through in our case.

Instead of doing nothing when no origins match, shouldn’t the Cors plugin ensure the Access-Control-Allow-Origin header doesn’t exist?