From 6f6befe555e9f076b8f4a4c060ad100f1c7e46b4 Mon Sep 17 00:00:00 2001
From: toimtoimtoim <desinformatsioon@gmail.com>
Date: Thu, 9 Dec 2021 21:57:20 +0200
Subject: [PATCH] improve docs

---
 context.go         |  2 +-
 echo.go            | 12 ++++++------
 middleware/cors.go |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/context.go b/context.go
index ea542cb86..f2421d77b 100644
--- a/context.go
+++ b/context.go
@@ -214,7 +214,7 @@ const (
 	// ContextKeyHeaderAllow is set by Router for getting value for `Allow` header in later stages of handler call chain.
 	// Allow header is mandatory for status 405 (method not found) and useful for OPTIONS method requests.
 	// It is added to context only when Router does not find matching method handler for request.
-	ContextKeyHeaderAllow = "____echo____header_allow"
+	ContextKeyHeaderAllow = "echo_header_allow"
 )
 
 const (
diff --git a/echo.go b/echo.go
index 8747039e4..427898217 100644
--- a/echo.go
+++ b/echo.go
@@ -192,9 +192,10 @@ const (
 const (
 	HeaderAccept         = "Accept"
 	HeaderAcceptEncoding = "Accept-Encoding"
-	// HeaderAllow is header field that lists the set of methods advertised as supported by the target resource.
-	// Allow header is mandatory for status 405 (method not found) and useful OPTIONS method responses.
-	// See: https://datatracker.ietf.org/doc/html/rfc7231#section-7.4.1
+	// HeaderAllow is the name of the "Allow" header field used to list the set of methods
+	// advertised as supported by the target resource. Returning an Allow header is mandatory
+	// for status 405 (method not found) and useful for the OPTIONS method in responses.
+	// See RFC 7231: https://datatracker.ietf.org/doc/html/rfc7231#section-7.4.1
 	HeaderAllow               = "Allow"
 	HeaderAuthorization       = "Authorization"
 	HeaderContentDisposition  = "Content-Disposition"
@@ -305,9 +306,8 @@ var (
 	}
 
 	MethodNotAllowedHandler = func(c Context) error {
-		// 'Allow' header RFC: https://datatracker.ietf.org/doc/html/rfc7231#section-7.4.1
-		// >> An origin server MUST generate an Allow field in a 405 (Method Not Allowed) response
-		//    and MAY do so in any other response.
+		// See RFC 7231 section 7.4.1: An origin server MUST generate an Allow field in a 405 (Method Not Allowed)
+		// response and MAY do so in any other response. For disabled resources an empty Allow header may be returned
 		routerAllowMethods, ok := c.Get(ContextKeyHeaderAllow).(string)
 		if ok && routerAllowMethods != "" {
 			c.Response().Header().Set(HeaderAllow, routerAllowMethods)
diff --git a/middleware/cors.go b/middleware/cors.go
index a5122f26e..16259512a 100644
--- a/middleware/cors.go
+++ b/middleware/cors.go
@@ -172,7 +172,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 				checkPatterns := false
 				if allowOrigin == "" {
 					// to avoid regex cost by invalid (long) domains (253 is domain name max limit)
-					if len(origin) <= (253+3+4) && strings.Contains(origin, "://") {
+					if len(origin) <= (253+3+5) && strings.Contains(origin, "://") {
 						checkPatterns = true
 					}
 				}