allow all origins wildcard not supported by chrome

[cameronbraid]

Am getting an error in chrome dev tools :

Access to CSS stylesheet at 'https://..' from origin 'https://...' has been blocked by CORS policy:
 The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard
  '*' when the request's credentials mode is 'include'.
16:11:31.942

How should I handle this to make go-chi write the request origin header instead ?

[cameronbraid]

I found a workaround

use AllowedOrigins=["https://*","http://*"] and AllowCredentials=true

[iamajoe]

Should the library default URLs without a protocol to contain on the []slice a version with http and a version with https?
Probably not, it would introduce a bit of "magic" and maybe the developer should know that he needs to set them. If so, should this be documented on the documentation? Should an error be thrown in case the developer doesn't set the protocols?

I can work on this upon decisions.

[jub0bs]

@cameronbraid The configuration you suggests opens the door to cross-origin attacks meant to exfiltrate sensitive data from unsuspecting victims.