Return request origin when wildcard is allowed

author: Valerij Fredriksen <valerij92@gmail.com> 2021-05-11 14:08:09 +0200
committer: Valerij Fredriksen <valerij92@gmail.com> 2021-05-11 14:11:44 +0200
commit: fe1bd61832db7a88789232556e9a9c13d4f22815 (patch)
tree: eb566244b046860dfef00eae2c5c2bc869479c63 /jdisc-security-filters/src/main
parent: 4ae244bc86782b3dc36257edcfabc2e38f510cf7 (diff)
1 files changed, 7 insertions, 14 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java
index d0722cae5ac..650ec851ffd 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java
@@ -27,27 +27,20 @@ class CorsLogic {
     static Map<String, String> createCorsResponseHeaders(String requestOriginHeader,
                                                          Set<String> allowedOrigins) {
         if (requestOriginHeader == null) return Map.of();
+
         TreeMap<String, String> headers = new TreeMap<>();
-        allowedOrigins.stream()
-                .filter(allowedUrl -> matchesRequestOrigin(requestOriginHeader, allowedUrl))
-                .findAny()
-                .ifPresent(allowedOrigin -> headers.put(ALLOW_ORIGIN_HEADER, allowedOrigin));
-        ACCESS_CONTROL_HEADERS.forEach(headers::put);
+        if (requestOriginMatchesAnyAllowed(requestOriginHeader, allowedOrigins))
+            headers.put(ALLOW_ORIGIN_HEADER, requestOriginHeader);
+        headers.putAll(ACCESS_CONTROL_HEADERS);
         return headers;
     }
 
     static Map<String, String> createCorsPreflightResponseHeaders(String requestOriginHeader,
                                                                   Set<String> allowedOrigins) {
-        if (requestOriginHeader == null) return ACCESS_CONTROL_HEADERS;
-
-        TreeMap<String, String> headers = new TreeMap<>();
-        if (allowedOrigins.stream().anyMatch(allowedUrl -> matchesRequestOrigin(requestOriginHeader, allowedUrl)))
-            headers.put(ALLOW_ORIGIN_HEADER, requestOriginHeader);
-        ACCESS_CONTROL_HEADERS.forEach(headers::put);
-        return headers;
+        return createCorsResponseHeaders(requestOriginHeader, allowedOrigins);
     }
 
-    private static boolean matchesRequestOrigin(String requestOrigin, String allowedUrl) {
-        return allowedUrl.equals("*") || requestOrigin.startsWith(allowedUrl);
+    private static boolean requestOriginMatchesAnyAllowed(String requestOrigin, Set<String> allowedUrls) {
+        return allowedUrls.stream().anyMatch(requestOrigin::startsWith) || allowedUrls.contains("*");
     }
 }
author	Valerij Fredriksen <valerij92@gmail.com>	2021-05-11 14:08:09 +0200
committer	Valerij Fredriksen <valerij92@gmail.com>	2021-05-11 14:11:44 +0200
commit	fe1bd61832db7a88789232556e9a9c13d4f22815 (patch)
tree	eb566244b046860dfef00eae2c5c2bc869479c63 /jdisc-security-filters/src/main
parent	4ae244bc86782b3dc36257edcfabc2e38f510cf7 (diff)