*Background:* Currently, APISIX has a cors plugin to address browser cross-domain issues, which will handle browser requests and dynamically add allow headers. It contains an allow_origins option for handling client sources, which allows both allow_origins (hereafter referred to as text mode) and allow_origins_by_regex (hereafter referred to as regular mode), but they are now not mutually exclusive, they now use logic that first checks using text mode and returns it directly if the match is successful, and then matches regular mode if it fails so in effect regular mode is a fallback option for text mode.
*Problem:* When we want to use regular mode only without giving preference to text mode, you will find that we cannot achieve it through the normal way. When you use only allow_origins_by_regex without setting the allow_origins configuration, APISIX automatically adds the default value "*" to allow_origins, so it directly bypasses the regular pattern configuration you defined, which is obviously wrong and dangerous. If you must configure it this way, you can only configure an address for text mode that can never be accessed, i.e. ensure that text mode never matches. This is neither elegant nor secure. Therefore, I think text mode and regular mode should be mutually exclusive, and text mode should not have a default value of "*". What do you think? Best regards! Zeping Bai @bzp2010
