Wildcard support for AllowedHeaders or add AllowedHeadersFunc

[kilgaloon]

I don't see a support that we can specify something like X-Header-*. I think this can be useful for some use cases. Maybe it would be good to add support for the wildcard or provide the func similar to the AllowOriginFunc.

[jub0bs]

This seems like an odd use case to me...

1. How many such request-header names do you typically need to allow in your CORS configuration?
2. Would allowing all request headers (via AllowedHeaders: "*") not be an acceptable alternative?

---

Another consideration: security. What if an adversary spoofs a preflight request that contains the following header?

Access-Control-Request-Headers: X-Header-followed_by_a_very_looooooooooooong_character_sequence

Allowing all header names of the form X-Header-* would force the CORS middleware to scan the entire header value, which could be as long as 1 << 20 bytes (and a bit). Such spoofed preflight requests could have a detrimental impact on middleware performance. In this connection, see #170.

[jub0bs]

@kilgaloon Any further comment? Can we close this issue?

[jub0bs]

@rs Without feedback from the OP, and in light of a recent comment of yours, I'm inclined to reject this suggestion.