Skip to content

Commit

Permalink
Allow same origin requests
Browse files Browse the repository at this point in the history
  • Loading branch information
sberyozkin committed Nov 29, 2022
1 parent 3461ad5 commit 3c18d39
Show file tree
Hide file tree
Showing 2 changed files with 70 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,60 @@ void corsNotMatchingOrigin() {
.header("Access-Control-Allow-Credentials", "false");
}

@Test
void corsSameOriginRequest() {
String origin = "http://localhost:8081";
given().header("Origin", origin)
.get("/test").then()
.statusCode(200)
.header("Access-Control-Allow-Origin", origin);
}

@Test
void corsInvalidSameOriginRequest1() {
String origin = "http";
given().header("Origin", origin)
.get("/test").then()
.statusCode(403)
.header("Access-Control-Allow-Origin", nullValue());
}

@Test
void corsInvalidSameOriginRequest2() {
String origin = "http://local";
given().header("Origin", origin)
.get("/test").then()
.statusCode(403)
.header("Access-Control-Allow-Origin", nullValue());
}

@Test
void corsInvalidSameOriginRequest3() {
String origin = "http://localhost";
given().header("Origin", origin)
.get("/test").then()
.statusCode(403)
.header("Access-Control-Allow-Origin", nullValue());
}

@Test
void corsInvalidSameOriginRequest4() {
String origin = "http://localhost:9999";
given().header("Origin", origin)
.get("/test").then()
.statusCode(403)
.header("Access-Control-Allow-Origin", nullValue());
}

@Test
void corsInvalidSameOriginRequest5() {
String origin = "https://localhost:8483";
given().header("Origin", origin)
.get("/test").then()
.statusCode(403)
.header("Access-Control-Allow-Origin", nullValue());
}

@Test
@DisplayName("Returns false 'Access-Control-Allow-Credentials' header on matching origin '*'")
void corsMatchingOriginWithWildcard() {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
package io.quarkus.vertx.http.runtime.cors;

import java.net.URI;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
Expand Down Expand Up @@ -176,7 +177,7 @@ public void handle(RoutingContext event) {
}

boolean allowsOrigin = isConfiguredWithWildcard(corsConfig.origins) || corsConfig.origins.get().contains(origin)
|| isOriginAllowedByRegex(allowedOriginsRegex, origin);
|| isOriginAllowedByRegex(allowedOriginsRegex, origin) || isSameOrigin(request, origin);

if (allowsOrigin) {
response.headers().set(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
Expand Down Expand Up @@ -210,4 +211,18 @@ public void handle(RoutingContext event) {
}
}
}

private static boolean isSameOrigin(HttpServerRequest request, String origin) {
String absUriString = request.absoluteURI();
if (absUriString.startsWith(origin)) {
// Make sure that Origin URI contains scheme, host, and port.
// If no port is set in Origin URI then the request URI must not have it set either
URI baseUri = URI.create(absUriString.substring(0, origin.length()));
if (baseUri.getScheme() != null && baseUri.getHost() != null
&& (baseUri.getPort() > 0 || URI.create(absUriString).getPort() == -1)) {
return true;
}
}
return false;
}
}

0 comments on commit 3c18d39

Please sign in to comment.