1 files changed, 36 insertions, 1 deletions

diff --git a/vendor/github.com/gorilla/handlers/cors_test.go b/vendor/github.com/gorilla/handlers/cors_test.go
index c63913eee..61eb18f77 100644
--- a/vendor/github.com/gorilla/handlers/cors_test.go
+++ b/vendor/github.com/gorilla/handlers/cors_test.go
@@ -327,10 +327,45 @@ func TestCORSHandlerWithCustomValidator(t *testing.T) {
 		return false
 	}
 
-	CORS(AllowedOriginValidator(originValidator))(testHandler).ServeHTTP(rr, r)
+	// Specially craft a CORS object.
+	handleFunc := func(h http.Handler) http.Handler {
+		c := &cors{
+			allowedMethods: defaultCorsMethods,
+			allowedHeaders: defaultCorsHeaders,
+			allowedOrigins: []string{"http://a.example.com"},
+			h:              h,
+		}
+		AllowedOriginValidator(originValidator)(c)
+		return c
+	}
+
+	handleFunc(testHandler).ServeHTTP(rr, r)
 	header := rr.HeaderMap.Get(corsAllowOriginHeader)
 	if header != r.URL.String() {
 		t.Fatalf("bad header: expected %s to be %s, got %s.", corsAllowOriginHeader, r.URL.String(), header)
 	}
 
 }
+
+func TestCORSAllowStar(t *testing.T) {
+	r := newRequest("GET", "http://a.example.com")
+	r.Header.Set("Origin", r.URL.String())
+	rr := httptest.NewRecorder()
+
+	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
+	originValidator := func(origin string) bool {
+		if strings.HasSuffix(origin, ".example.com") {
+			return true
+		}
+		return false
+	}
+
+	CORS(AllowedOriginValidator(originValidator))(testHandler).ServeHTTP(rr, r)
+	header := rr.HeaderMap.Get(corsAllowOriginHeader)
+	// Because * is the default CORS policy (which is safe), we should be
+	// expect a * returned here as the Access Control Allow Origin header
+	if header != "*" {
+		t.Fatalf("bad header: expected %s to be %s, got %s.", corsAllowOriginHeader, r.URL.String(), header)
+	}
+
+}