Structured parsing of the Origin header (issue #2007) #2082
Conversation
Work done in conjunction with Hosam Aly (@hosamaly) at Syntactic Sugar, London. Instead of being interpreted as a string, the Origin header is now interpreted as a "null" header or a non-empty list of "hosts" as specified in the RFC: https://tools.ietf.org/html/rfc6454#section-7 Note that we don't use `Uri` to model the hosts because the RFC states that only a scheme, host, and port are acceptable. The following MDN article is the first hit on Google. It states that the empty string is a valid Origin header. While this is technically incorrect, we do permissively parse the empty string as a null header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin This PR also updates some tests in CORSSpec that erroneously added a trailing slash to headers in their test data.
This looks good. Run it though scalafmt and the build will succeed. |
Ah! Thanks for the tip. Rerunning... |
Looks great. Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
This PR improves the parsing of the
Origin
header. It's joint work with @hosamaly at Syntactic Sugar, London.Instead of being interpreted as a string, the header is now interpreted as a list of items of type
Origin.Host
. These are similar toUris
except that Origin only permits a scheme, host, and port.We commonly think of the Origin as containing a single host. According to the Mozilla Developer page, however, the header may be an empty string (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin). And according to the RFC, it may contain multiple hosts (https://tools.ietf.org/html/rfc6454#section-7).
There's one last complication. The RFC technically states that
Origin
may be the literal stringnull
, which translates to an "opaque origin" ()