diff options
Diffstat (limited to 'jdisc-security-filters')
2 files changed, 9 insertions, 1 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java index 3f6801eebe7..1ff76fd45ac 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java @@ -41,6 +41,6 @@ class CorsLogic { } private static boolean requestOriginMatchesAnyAllowed(String requestOrigin, Set<String> allowedUrls) { - return allowedUrls.stream().anyMatch(requestOrigin::startsWith) || allowedUrls.contains("*"); + return allowedUrls.stream().anyMatch(requestOrigin::equals) || allowedUrls.contains("*"); } } diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilterTest.java index b5b94d5a2c2..7ba050b7cc0 100644 --- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilterTest.java +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilterTest.java @@ -43,6 +43,14 @@ public class CorsPreflightRequestFilterTest { } @Test + void extended_request_origin_does_not_yield_allow_origin_header_in_response() { + final String ALLOWED_ORIGIN = "https://allowed.origin"; + final String EXTENDED_ORIGIN = "https://allowed.origin.as.subdomain.com"; + HeaderFields headers = doFilterRequest(newRequestFilter(ALLOWED_ORIGIN), EXTENDED_ORIGIN); + assertNull(headers.getFirst(ALLOW_ORIGIN_HEADER)); + } + + @Test void allowed_wildcard_origin_yields_origin_header_in_response() { final String ALLOWED_ORIGIN = "http://allowed.origin"; HeaderFields headers = doFilterRequest(newRequestFilter("*"), ALLOWED_ORIGIN); |