fix: honor requested allow origin settings properly (#17789)

fixes #17778

.github/workflows/vulncheck.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.19.11
+          go-version: 1.19.12
           check-latest: true
       - name: Get official govulncheck
         run: go install golang.org/x/vuln/cmd/govulncheck@latest

cmd/api-router.go

@@ -545,12 +545,5 @@ func corsHandler(handler http.Handler) http.Handler {
 		ExposedHeaders:   commonS3Headers,
 		AllowCredentials: true,
 	}
-	for _, origin := range globalAPIConfig.getCorsAllowOrigins() {
-		if origin == "*" {
-			opts.AllowOriginFunc = nil
-			opts.AllowedOrigins = globalAPIConfig.getCorsAllowOrigins()
-			break
-		}
-	}
 	return cors.New(opts).Handler(handler)
 }

cmd/generic-handlers.go

@@ -443,6 +443,11 @@ func setRequestValidityMiddleware(h http.Handler) http.Handler {
 // is obtained from centralized etcd configuration service.
 func setBucketForwardingMiddleware(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if origin := w.Header().Get("Access-Control-Allow-Origin"); origin == "null" {
+			// This is a workaround change to ensure that "Origin: null"
+			// incoming request to a response back as "*" instead of "null"
+			w.Header().Set("Access-Control-Allow-Origin", "*")
+		}
 		if globalDNSConfig == nil || !globalBucketFederation ||
 			guessIsHealthCheckReq(r) || guessIsMetricsReq(r) ||
 			guessIsRPCReq(r) || guessIsLoginSTSReq(r) || isAdminReq(r) {

cmd/server_test.go

@@ -219,7 +219,7 @@ func (s *TestSuiteCommon) TestBucketSQSNotificationWebHook(c *check) {
 func (s *TestSuiteCommon) TestCors(c *check) {
 	expectedMap := http.Header{}
 	expectedMap.Set("Access-Control-Allow-Credentials", "true")
-	expectedMap.Set("Access-Control-Allow-Origin", "*")
+	expectedMap.Set("Access-Control-Allow-Origin", "http://foobar.com")
 	expectedMap["Access-Control-Expose-Headers"] = []string{
 		"Date",
 		"Etag",