From f4dde34949810cf5ad96c07107aa2d7ff1487aab Mon Sep 17 00:00:00 2001 From: Sergey Beryozkin Date: Tue, 31 Jan 2023 19:58:51 +0000 Subject: [PATCH] Allow same origin CORS requests without 3rd party origins being configured --- ...SameOriginWithoutOriginConfigTestCase.java | 36 +++++++++++++++++++ .../conf/cors-same-origin-only.properties | 1 + .../vertx/http/runtime/cors/CORSFilter.java | 11 +++--- 3 files changed, 44 insertions(+), 4 deletions(-) create mode 100644 extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSSameOriginWithoutOriginConfigTestCase.java create mode 100644 extensions/vertx-http/deployment/src/test/resources/conf/cors-same-origin-only.properties diff --git a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSSameOriginWithoutOriginConfigTestCase.java b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSSameOriginWithoutOriginConfigTestCase.java new file mode 100644 index 0000000000000..2d288d0ed45bb --- /dev/null +++ b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSSameOriginWithoutOriginConfigTestCase.java @@ -0,0 +1,36 @@ +package io.quarkus.vertx.http.cors; + +import static io.restassured.RestAssured.given; +import static org.hamcrest.Matchers.nullValue; + +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.RegisterExtension; + +import io.quarkus.test.QuarkusUnitTest; + +class CORSSameOriginWithoutOriginConfigTestCase { + + @RegisterExtension + static QuarkusUnitTest runner = new QuarkusUnitTest() + .withApplicationRoot((jar) -> jar + .addClasses(BeanRegisteringRoute.class) + .addAsResource("conf/cors-same-origin-only.properties", "application.properties")); + + @Test + void corsSameOriginRequest() { + String origin = "http://localhost:8081"; + given().header("Origin", origin) + .get("/test").then() + .statusCode(200) + .header("Access-Control-Allow-Origin", origin); + } + + @Test + void corsInvalidSameOriginRequest() { + String origin = "http://externalhost:8081"; + given().header("Origin", origin) + .get("/test").then() + .statusCode(403) + .header("Access-Control-Allow-Origin", nullValue()); + } +} diff --git a/extensions/vertx-http/deployment/src/test/resources/conf/cors-same-origin-only.properties b/extensions/vertx-http/deployment/src/test/resources/conf/cors-same-origin-only.properties new file mode 100644 index 0000000000000..228ebaf416aed --- /dev/null +++ b/extensions/vertx-http/deployment/src/test/resources/conf/cors-same-origin-only.properties @@ -0,0 +1 @@ +quarkus.http.cors=true diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java index 30d1ad80ec87e..9722e703417e2 100644 --- a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java +++ b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java @@ -187,10 +187,13 @@ public void handle(RoutingContext event) { boolean allowsOrigin = wildcardOrigin; if (!allowsOrigin) { - allowsOrigin = !corsConfig.origins.isEmpty() - && (corsConfig.origins.get().contains(origin) - || isOriginAllowedByRegex(allowedOriginsRegex, origin) - || isSameOrigin(request, origin)); + if (!corsConfig.origins.isEmpty()) { + allowsOrigin = corsConfig.origins.get().contains(origin) + || isOriginAllowedByRegex(allowedOriginsRegex, origin) + || isSameOrigin(request, origin); + } else { + allowsOrigin = isSameOrigin(request, origin); + } } if (allowsOrigin) {