[FEATURE] Allow users to disable caching of preflight responses

[jub0bs]

Is there an existing feature request for this?

• I have searched the existing feature requests

Is your feature request related to a problem? Please describe.

Omitting the Access-Control-Max-Age header from a preflight response leads browsers to cache that response for 5 seconds, whereas including

Access-Control-Max-Age: 0

in a preflight instructs browsers not to cache that preflight response. However, the CORS middleware ignores that distinction and takes a maxAge value of 0 as a cue to omit the Access-Control-Max-Age header. Therefore, it prevents its users from disabling caching of preflight responses.

Describe the solution that you would like.

Fortunately, since the CORS middleware uses the functional-options pattern (as opposed to exposing a config struct to users), retrofitting it to understand this distinction (0 value set/unset) should be straightforward. Maintainers could add customMaxAge bool field to the cors struct type and set it when the MaxAge option is called.

Describe alternatives you have considered.

Alternatively, maintainers could change the type of cors.maxAge from int to *int, where a nil value indicates that users haven't set a max age.

Anything else?

• jub0bs - Fearless CORS: a design philosophy for CORS middleware libraries (and a Go implementation)
• Julien Cretel - Useful Functional-Options Tricks for Better Libraries (GopherCon Europe 2023)
• No way to disable caching of preflight responses rs/cors#152
• No way to disable caching of CORS-preflight responses labstack/echo#2471
• 🚀 [Feature]: allow users to disable caching of CORS-preflight responses gofiber/fiber#2609
• No way to disable caching of CORS-preflight responses gin-contrib/cors#120