Skip to content

Commit

Permalink
Return allowed CORS headers in the letter case they were submitted in
Browse files Browse the repository at this point in the history
  • Loading branch information
sberyozkin committed Dec 5, 2022
1 parent b3edfef commit bd521fc
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 8 deletions.
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package io.quarkus.vertx.http.cors;

import static io.restassured.RestAssured.given;
import static org.hamcrest.Matchers.nullValue;
import static org.hamcrest.core.Is.is;

import org.junit.jupiter.api.DisplayName;
Expand All @@ -22,7 +23,7 @@ public class CORSHandlerTestCase {
public void corsPreflightTestServlet() {
String origin = "http://custom.origin.quarkus";
String methods = "GET,POST";
String headers = "X-Custom, content-type";
String headers = "X-Custom,content-type";
given().header("Origin", origin)
.header("Access-Control-Request-Method", methods)
.header("Access-Control-Request-Headers", headers)
Expand All @@ -35,12 +36,29 @@ public void corsPreflightTestServlet() {
.header("Access-Control-Allow-Headers", headers);
}

@Test
public void corsPreflightTestUnmatchedHeader() {
String origin = "http://custom.origin.quarkus";
String methods = "GET,POST";
String headers = "X-Customs,content-types";
given().header("Origin", origin)
.header("Access-Control-Request-Method", methods)
.header("Access-Control-Request-Headers", headers)
.when()
.options("/test").then()
.statusCode(200)
.header("Access-Control-Allow-Origin", origin)
.header("Access-Control-Allow-Methods", methods)
.header("Access-Control-Allow-Credentials", "true")
.header("Access-Control-Allow-Headers", nullValue());
}

@Test
@DisplayName("Handles a direct CORS request correctly")
public void corsNoPreflightTestServlet() {
String origin = "http://custom.origin.quarkus";
String methods = "GET,POST";
String headers = "x-custom, CONTENT-TYPE";
String headers = "x-custom,CONTENT-TYPE";
given().header("Origin", origin)
.header("Access-Control-Request-Method", methods)
.header("Access-Control-Request-Headers", headers)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ quarkus.http.cors=true
# whitespaces added to test that they are not taken into account config is parsed
quarkus.http.cors.methods=GET, OPTIONS, POST
quarkus.http.cors.access-control-allow-credentials=true
quarkus.http.cors.access-control-allow-headers=x-custom,CONTENT-TYPE
quarkus.http.cors.headers=x-custom,CONTENT-TYPE
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.regex.Pattern;
Expand Down Expand Up @@ -98,24 +100,25 @@ private void processRequestedHeaders(HttpServerResponse response, String allowHe
if (isConfiguredWithWildcard(corsConfig.headers)) {
response.headers().set(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, allowHeadersValue);
} else {
List<String> requestedHeaders;
Map<String, String> requestedHeaders;
String[] allowedParts = COMMA_SEPARATED_SPLIT_REGEX.split(allowHeadersValue);
requestedHeaders = new ArrayList<>(allowedParts.length);
requestedHeaders = new HashMap<>();
for (String requestedHeader : allowedParts) {
requestedHeaders.add(requestedHeader.toLowerCase());
requestedHeaders.put(requestedHeader.toLowerCase(), requestedHeader);
}

List<String> corsConfigHeaders = corsConfig.headers.get();
StringBuilder allowedHeaders = new StringBuilder();
boolean isFirst = true;
for (String configHeader : corsConfigHeaders) {
if (requestedHeaders.contains(configHeader.toLowerCase())) {
String configHeaderLowerCase = configHeader.toLowerCase();
if (requestedHeaders.containsKey(configHeaderLowerCase)) {
if (isFirst) {
isFirst = false;
} else {
allowedHeaders.append(',');
}
allowedHeaders.append(configHeader);
allowedHeaders.append(requestedHeaders.get(configHeaderLowerCase));
}
}

Expand Down

0 comments on commit bd521fc

Please sign in to comment.