Skip to content

Commit

Permalink
Do not support any Origin by default if CORS is enabled
Browse files Browse the repository at this point in the history
  • Loading branch information
sberyozkin committed Dec 5, 2022
1 parent 8c74c08 commit fb24934
Show file tree
Hide file tree
Showing 7 changed files with 12 additions and 5 deletions.
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
quarkus.http.cors=true
quarkus.http.cors.origins=*
# whitespaces added to test that they are not taken into account config is parsed
quarkus.http.cors.methods=GET, OPTIONS, POST
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ public class CORSSecurityTestCase {

private static final String APP_PROPS = "" +
"quarkus.http.cors=true\n" +
"quarkus.http.cors.origins=*\n" +
"quarkus.http.cors.methods=GET, OPTIONS, POST\n" +
"quarkus.http.auth.basic=true\n" +
"quarkus.http.auth.policy.r1.roles-allowed=test\n" +
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ public class CORSWildcardSecurityTestCase {

private static final String APP_PROPS = "" +
"quarkus.http.cors=true\n" +
"quarkus.http.cors.origins=*\n" +
"quarkus.http.auth.basic=true\n" +
"quarkus.http.auth.policy.r1.roles-allowed=test\n" +
"quarkus.http.auth.permission.roles1.paths=/test\n" +
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
quarkus.http.cors=true
quarkus.http.cors.origins=*
# whitespaces added to test that they are not taken into account config is parsed
quarkus.http.cors.methods=GET, OPTIONS, POST
quarkus.http.cors.access-control-allow-credentials=true
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,6 @@ public class CORSConfig {
* Comma separated list of valid URLs, e.g.: http://www.quarkus.io,http://localhost:3000
* In case an entry of the list is surrounded by forward slashes,
* it is interpreted as a regular expression.
* The filter allows any origin if this is not set.
*
* default: returns any requested origin as valid
*/
@ConfigItem
@ConvertWith(TrimmedStringConverter.class)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,10 @@ public static boolean isConfiguredWithWildcard(Optional<List<String>> optionalLi
return list.isEmpty() || (list.size() == 1 && "*".equals(list.get(0)));
}

private static boolean isOriginConfiguredWithWildcard(List<String> origins) {
return origins.size() == 1 && "*".equals(origins.get(0));
}

/**
* Parse the provided allowed origins for any regexes
*
Expand Down Expand Up @@ -175,8 +179,9 @@ public void handle(RoutingContext event) {
processRequestedHeaders(response, requestedHeaders);
}

boolean allowsOrigin = isConfiguredWithWildcard(corsConfig.origins) || corsConfig.origins.get().contains(origin)
|| isOriginAllowedByRegex(allowedOriginsRegex, origin);
boolean allowsOrigin = !corsConfig.origins.isEmpty()
&& (isOriginConfiguredWithWildcard(corsConfig.origins.get()) || corsConfig.origins.get().contains(origin)
|| isOriginAllowedByRegex(allowedOriginsRegex, origin));

if (allowsOrigin) {
response.headers().set(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,7 @@ quarkus.http.auth.permission.post-logout.paths=/tenant-logout/post-logout
quarkus.http.auth.permission.post-logout.policy=permit

quarkus.http.cors=true
quarkus.http.cors.origins=*
quarkus.http.auth.proactive=false
quarkus.http.proxy.enable-forwarded-prefix=true
quarkus.http.proxy.allow-forwarded=true
Expand Down

0 comments on commit fb24934

Please sign in to comment.