summaryrefslogtreecommitdiffstats
path: root/jdisc-security-filters
diff options
context:
space:
mode:
authorAndreas Eriksen <andreer@yahooinc.com>2022-08-17 15:28:10 +0200
committerAndreas Eriksen <andreer@yahooinc.com>2022-08-17 15:28:10 +0200
commitb8d3a365a922a1843caadeec7982efac6de9d769 (patch)
tree9328d134761861f9ce1fd0c9d30e4b728110e1d7 /jdisc-security-filters
parent0936584bd463831c14631906abfea7f683ad9822 (diff)
compare oranges with oranges
Diffstat (limited to 'jdisc-security-filters')
-rw-r--r--jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java2
-rw-r--r--jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilterTest.java8
2 files changed, 9 insertions, 1 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java
index 3f6801eebe7..1ff76fd45ac 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java
@@ -41,6 +41,6 @@ class CorsLogic {
}
private static boolean requestOriginMatchesAnyAllowed(String requestOrigin, Set<String> allowedUrls) {
- return allowedUrls.stream().anyMatch(requestOrigin::startsWith) || allowedUrls.contains("*");
+ return allowedUrls.stream().anyMatch(requestOrigin::equals) || allowedUrls.contains("*");
}
}
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilterTest.java
index b5b94d5a2c2..7ba050b7cc0 100644
--- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilterTest.java
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilterTest.java
@@ -43,6 +43,14 @@ public class CorsPreflightRequestFilterTest {
}
@Test
+ void extended_request_origin_does_not_yield_allow_origin_header_in_response() {
+ final String ALLOWED_ORIGIN = "https://allowed.origin";
+ final String EXTENDED_ORIGIN = "https://allowed.origin.as.subdomain.com";
+ HeaderFields headers = doFilterRequest(newRequestFilter(ALLOWED_ORIGIN), EXTENDED_ORIGIN);
+ assertNull(headers.getFirst(ALLOW_ORIGIN_HEADER));
+ }
+
+ @Test
void allowed_wildcard_origin_yields_origin_header_in_response() {
final String ALLOWED_ORIGIN = "http://allowed.origin";
HeaderFields headers = doFilterRequest(newRequestFilter("*"), ALLOWED_ORIGIN);