diff options
| author | Valerij Fredriksen <freva@users.noreply.github.com> | 2021-05-11 14:30:41 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-11 14:30:41 +0200 |
| commit | 1742c8156364087d9891149e7817b1b48c8f0417 (patch) | |
| tree | 2569c8fbc1c3e883ef09dc4176797f4752529893 | |
| parent | 016ed26d34ea0582e0e11ffc9ada76ff79a5d889 (diff) | |
| parent | fe1bd61832db7a88789232556e9a9c13d4f22815 (diff) | |
Merge pull request #17821 from vespa-engine/freva/return-correct-on-wildcard
Return request origin when wildcard is allowed
2 files changed, 8 insertions, 15 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java index d0722cae5ac..650ec851ffd 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java @@ -27,27 +27,20 @@ class CorsLogic { static Map<String, String> createCorsResponseHeaders(String requestOriginHeader, Set<String> allowedOrigins) { if (requestOriginHeader == null) return Map.of(); + TreeMap<String, String> headers = new TreeMap<>(); - allowedOrigins.stream() - .filter(allowedUrl -> matchesRequestOrigin(requestOriginHeader, allowedUrl)) - .findAny() - .ifPresent(allowedOrigin -> headers.put(ALLOW_ORIGIN_HEADER, allowedOrigin)); - ACCESS_CONTROL_HEADERS.forEach(headers::put); + if (requestOriginMatchesAnyAllowed(requestOriginHeader, allowedOrigins)) + headers.put(ALLOW_ORIGIN_HEADER, requestOriginHeader); + headers.putAll(ACCESS_CONTROL_HEADERS); return headers; } static Map<String, String> createCorsPreflightResponseHeaders(String requestOriginHeader, Set<String> allowedOrigins) { - if (requestOriginHeader == null) return ACCESS_CONTROL_HEADERS; - - TreeMap<String, String> headers = new TreeMap<>(); - if (allowedOrigins.stream().anyMatch(allowedUrl -> matchesRequestOrigin(requestOriginHeader, allowedUrl))) - headers.put(ALLOW_ORIGIN_HEADER, requestOriginHeader); - ACCESS_CONTROL_HEADERS.forEach(headers::put); - return headers; + return createCorsResponseHeaders(requestOriginHeader, allowedOrigins); } - private static boolean matchesRequestOrigin(String requestOrigin, String allowedUrl) { - return allowedUrl.equals("*") || requestOrigin.startsWith(allowedUrl); + private static boolean requestOriginMatchesAnyAllowed(String requestOrigin, Set<String> allowedUrls) { + return allowedUrls.stream().anyMatch(requestOrigin::startsWith) || allowedUrls.contains("*"); } } diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsResponseFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsResponseFilterTest.java index 2967a7659f5..0c8cf9b0ffb 100644 --- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsResponseFilterTest.java +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsResponseFilterTest.java @@ -53,7 +53,7 @@ public class CorsResponseFilterTest { @Test public void any_request_origin_yields_allow_origin_header_in_response_when_wildcard_is_allowed() { Map<String, String> headers = doFilterRequest(newResponseFilter("*"), "http://any.origin"); - assertEquals("*", headers.get(ALLOW_ORIGIN_HEADER)); + assertEquals("http://any.origin", headers.get(ALLOW_ORIGIN_HEADER)); } private static Map<String, String> doFilterRequest(SecurityResponseFilter filter, String originUrl) { |