Kong · thibaultcha · Apr 25, 2017 · Apr 25, 2017
diff --git a/kong/plugins/cors/handler.lua b/kong/plugins/cors/handler.lua
@@ -55,11 +55,19 @@ end
 
 
 local function configure_credentials(ngx, conf)
-  if ngx.ctx.cors_allow_all then
-    ngx.header["Access-Control-Allow-Credentials"] = "false"
+  if conf.credentials then
+    if not ngx.ctx.cors_allow_all then
+      ngx.header["Access-Control-Allow-Credentials"] = "true"
+      return
+    end
 
-  elseif conf.credentials then
-    ngx.header["Access-Control-Allow-Credentials"] = "true"
+    -- Access-Control-Allow-Origin is '*', must change it because ACAC cannot
+    -- be 'true' if ACAO is '*'.
+    local req_origin = ngx.var.http_origin
+    if req_origin then
+      ngx.header["Access-Control-Allow-Origin"]      = req_origin
+      ngx.header["Access-Control-Allow-Credentials"] = "true"
+    end
   end
 end
 

diff --git a/spec/03-plugins/14-cors/01-access_spec.lua b/spec/03-plugins/14-cors/01-access_spec.lua
@@ -35,6 +35,11 @@ describe("Plugin: cors (access)", function()
       hosts = { "cors6.com" },
       upstream_url = "http://mockbin.com"
     })
+    local api7 = assert(helpers.dao.apis:insert {
+      name = "api-7",
+      hosts = { "cors7.com" },
+      upstream_url = "http://mockbin.com"
+    })
 
     assert(helpers.dao.plugins:insert {
       name = "cors",
@@ -80,7 +85,8 @@ describe("Plugin: cors (access)", function()
       name = "cors",
       api_id = api5.id,
       config = {
-        origins = { "*" }
+        origins = { "*" },
+        credentials = true
       }
     })
 
@@ -97,6 +103,15 @@ describe("Plugin: cors (access)", function()
       }
     })
 
+    assert(helpers.dao.plugins:insert {
+      name = "cors",
+      api_id = api7.id,
+      config = {
+        origins = { "*" },
+        credentials = false
+      }
+    })
+
     assert(helpers.start_kong())
     client = helpers.proxy_client()
   end)
@@ -119,7 +134,7 @@ describe("Plugin: cors (access)", function()
       assert.equal("*", res.headers["Access-Control-Allow-Origin"])
       assert.is_nil(res.headers["Access-Control-Allow-Headers"])
       assert.is_nil(res.headers["Access-Control-Expose-Headers"])
-      assert.equal("false", res.headers["Access-Control-Allow-Credentials"])
+      assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
       assert.is_nil(res.headers["Access-Control-Max-Age"])
     end)
 
@@ -135,7 +150,7 @@ describe("Plugin: cors (access)", function()
       assert.equal("*", res.headers["Access-Control-Allow-Origin"])
       assert.is_nil(res.headers["Access-Control-Allow-Headers"])
       assert.is_nil(res.headers["Access-Control-Expose-Headers"])
-      assert.equal("false", res.headers["Access-Control-Allow-Credentials"])
+      assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
       assert.is_nil(res.headers["Access-Control-Max-Age"])
     end)
 
@@ -196,7 +211,7 @@ describe("Plugin: cors (access)", function()
       assert.is_nil(res.headers["Access-Control-Allow-Methods"])
       assert.is_nil(res.headers["Access-Control-Allow-Headers"])
       assert.is_nil(res.headers["Access-Control-Expose-Headers"])
-      assert.equal("false", res.headers["Access-Control-Allow-Credentials"])
+      assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
       assert.is_nil(res.headers["Access-Control-Max-Age"])
     end)
 
@@ -229,7 +244,7 @@ describe("Plugin: cors (access)", function()
       assert.is_nil(res.headers["Access-Control-Allow-Methods"])
       assert.is_nil(res.headers["Access-Control-Allow-Headers"])
       assert.is_nil(res.headers["Access-Control-Expose-Headers"])
-      assert.equal("false", res.headers["Access-Control-Allow-Credentials"])
+      assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
       assert.is_nil(res.headers["Access-Control-Max-Age"])
     end)
 
@@ -245,7 +260,7 @@ describe("Plugin: cors (access)", function()
       assert.is_nil(res.headers["Access-Control-Allow-Methods"])
       assert.is_nil(res.headers["Access-Control-Allow-Headers"])
       assert.is_nil(res.headers["Access-Control-Expose-Headers"])
-      assert.equal("false", res.headers["Access-Control-Allow-Credentials"])
+      assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
       assert.is_nil(res.headers["Access-Control-Max-Age"])
     end)
 
@@ -272,5 +287,44 @@ describe("Plugin: cors (access)", function()
       assert.res_status(200, res)
       assert.is_nil(res.headers["Access-Control-Allow-Origin"])
     end)
+
+    it("responds with the requested Origin when config.credentials=true", function()
+      local res = assert(client:send {
+        method = "GET",
+        headers = {
+          ["Host"] = "cors5.com",
+          ["Origin"] = "http://www.example.net"
+        }
+      })
+      assert.res_status(200, res)
+      assert.equals("http://www.example.net", res.headers["Access-Control-Allow-Origin"])
+      assert.equals("true", res.headers["Access-Control-Allow-Credentials"])
+    end)
+
+    it("responds with the requested Origin (including port) when config.credentials=true", function()
+      local res = assert(client:send {
+        method = "GET",
+        headers = {
+          ["Host"] = "cors5.com",
+          ["Origin"] = "http://www.example.net:3000"
+        }
+      })
+      assert.res_status(200, res)
+      assert.equals("http://www.example.net:3000", res.headers["Access-Control-Allow-Origin"])
+      assert.equals("true", res.headers["Access-Control-Allow-Credentials"])
+    end)
+
+    it("responds with * when config.credentials=false", function()
+      local res = assert(client:send {
+        method = "GET",
+        headers = {
+          ["Host"] = "cors7.com",
+          ["Origin"] = "http://www.example.net"
+        }
+      })
+      assert.res_status(200, res)
+      assert.equals("*", res.headers["Access-Control-Allow-Origin"])
+      assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
+    end)
   end)
 end)