Continue the filter chain on same origin requests

cloudfoundry · Sep 15, 2015 · ff9e612 · ff9e612
1 parent 2f2e655
commit ff9e612
Showing 1 changed file with 3 additions and 6 deletions.
diff --git a/common/src/main/java/org/cloudfoundry/identity/uaa/web/CorsFilter.java b/common/src/main/java/org/cloudfoundry/identity/uaa/web/CorsFilter.java
@@ -118,16 +118,13 @@ public void initialize() {
     protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response,
             final FilterChain filterChain) throws ServletException, IOException {
 
-        if (isXhrRequest(request)) {
+        if (isXhrRequest(request) && isCrossOriginRequest(request)) {
             String method = request.getMethod();
             if (!isCorsXhrAllowedMethod(method)) {
                 response.setStatus(HttpStatus.METHOD_NOT_ALLOWED.value());
                 return;
             }
             String origin = request.getHeader(HttpHeaders.ORIGIN);
-            if (!isCrossOriginRequest(origin)) {
-                return;
-            }
             String requestUri = request.getRequestURI();
             if (!isCorsXhrAllowedRequestUri(requestUri) || !isCorsXhrAllowedOrigin(origin)) {
                 response.setStatus(HttpStatus.FORBIDDEN.value());
@@ -161,8 +158,8 @@ static boolean isXhrRequest(final HttpServletRequest request) {
                         accessControlRequestHeaders, "X-Requested-With"));
     }
 
-    private boolean isCrossOriginRequest(final String origin) {
-        if (StringUtils.isEmpty(origin)) {
+    private boolean isCrossOriginRequest(final HttpServletRequest request) {
+        if (StringUtils.isEmpty(request.getHeader(HttpHeaders.ORIGIN))) {
             return false;
         }
         else {