Allow multiple origin domains for CORS

kong/plugins/cors/handler.lua

@@ -7,8 +7,23 @@ CorsHandler.PRIORITY = 2000
 
 local OPTIONS = "OPTIONS"
 
+local function host_in_domain(domain, conf)
+  for i, d in ipairs(conf.origin_domains) do
+    if string.match(domain, '[%.|//]'..d..'$') then
+      return true
+    end
+  end
+  return false
+end
+
 local function configure_origin(ngx, conf)
-  if conf.origin == nil then
+  local origin = ngx.req.get_headers()["origin"] or nil
+  if conf.origin_domains ~= nil then
+   if origin ~= nil and host_in_domain(origin, conf) then
+      ngx.header["Access-Control-Allow-Origin"] = origin
+      ngx.header["Vary"] = "Origin"
+    end
+  elseif conf.origin == nil then
     ngx.header["Access-Control-Allow-Origin"] = "*"
   else
     ngx.header["Access-Control-Allow-Origin"] = conf.origin

kong/plugins/cors/schema.lua

@@ -7,6 +7,7 @@ return {
     methods = { type = "array", enum = { "HEAD", "GET", "POST", "PUT", "PATCH", "DELETE" } },
     max_age = { type = "number" },
     credentials = { type = "boolean", default = false },
-    preflight_continue = { type = "boolean", default = false }
+    preflight_continue = { type = "boolean", default = false },
+    origin_domains = { type = "array" }
   }
 }

spec/03-plugins/04-cors/01-access_spec.lua

@@ -23,6 +23,10 @@ describe("Plugin: cors (access)", function()
       request_host = "cors4.com",
       upstream_url = "http://mockbin.com"
     })
+    local api5 = assert(helpers.dao.apis:insert {
+      request_host = "cors5.com",
+      upstream_url = "http://mockbin.com"
+    })
 
     assert(helpers.dao.plugins:insert {
       name = "cors",
@@ -61,6 +65,21 @@ describe("Plugin: cors (access)", function()
       name = "key-auth",
       api_id = api4.id
     })
+
+    assert(helpers.dao.plugins:insert {
+      name = "cors",
+      api_id = api5.id,
+      config = {
+        origin = "example.com",
+        methods = {"GET"},
+        headers = {"origin", "type", "accepts"},
+        exposed_headers = {"x-auth-token"},
+        max_age = 23,
+        preflight_continue = true,
+        origin_domains = 'example.com, example.org'
+      }
+    })
+
   end)
 
   teardown(function()
@@ -176,5 +195,27 @@ describe("Plugin: cors (access)", function()
       assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
       assert.is_nil(res.headers["Access-Control-Max-Age"])
     end)
+    it("sets CORS orgin based on origin host", function()
+      local res = assert(client:send {
+        method = "GET",
+        headers = {
+          ["Host"] = "cors5.com",
+          ["Origin"] = "http://www.example.com"
+        }
+      })
+      assert.res_status(200, res)
+      assert.equal("http://www.example.com", res.headers["Access-Control-Allow-Origin"])
+    end)
+    it("does not sets CORS orgin if origin host is not in origin_domains list", function()
+      local res = assert(client:send {
+        method = "GET",
+        headers = {
+          ["Host"] = "cors5.com",
+          ["Origin"] = "http://www.example.net"
+        }
+      })
+      assert.res_status(200, res)
+      assert.is_nil(res.headers["Access-Control-Allow-Origin"])
+    end)
   end)
 end)