origin matching should be case insensitive

Signed-off-by: Pascal Sthamer <[email protected]>
Baroshem · Aug 9, 2024 · 6a04128 · 6a04128
1 parent 2151b7d
commit 6a04128
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/src/runtime/server/middleware/corsHandler.ts b/src/runtime/server/middleware/corsHandler.ts
@@ -16,7 +16,7 @@ export default defineEventHandler((event) => {
     }
 
     if (origin && origin !== '*' && corsHandler.useRegExp) {
-      origin = origin.map((o) => new RegExp(o))
+      origin = origin.map((o) => new RegExp(o, 'i'))
     }
 
     handleCors(event, {

diff --git a/test/cors.test.ts b/test/cors.test.ts
@@ -57,6 +57,11 @@ describe('[nuxt-security] CORS', async () => {
     expect(res.headers.get('Access-Control-Allow-Origin')).toBeNull()
   })
 
+  it('should match origins with regular expressions in a case-insensitive way', async () => {
+    const res = await fetch('/regexp-single', { headers: { origin: 'https://A.EXAMPLE.COM' } })
+    expect(res.headers.get('Access-Control-Allow-Origin')).toBe('https://A.EXAMPLE.COM')
+  })
+
   it('should support multiple regular expressions', async () => {
     let res = await fetch('/regexp-multi', { headers: { origin: 'https://a.example.com' } })
     expect(res.headers.get('Access-Control-Allow-Origin')).toBe('https://a.example.com')