Allow CORS same origin requests

[stuartwdouglas]

No description provided.

[sberyozkin]

Thanks @stuartwdouglas, it does look like it will offer a more optimal way of comparing Origin and the request URI, and if necessary, we can follow up with adding a flag making the same origin check optional

[maxandersen]

-1 on blindly allowing same origin hosts by default. You are basically trusting the client to speak the truth allowing to trick Quarkus into accept from any host name (not just localhost) which is problematic.

we should check what other fwks do here - the only reason it worked before was due to another CORS filter bug.

[stuartwdouglas]

-1 on blindly allowing same origin hosts by default. You are basically trusting the client to speak the truth allowing to trick Quarkus into accept from any host name (not just localhost) which is problematic.

we should check what other fwks do here - the only reason it worked before was due to another CORS filter bug.

That is the point.

CORS is intended to prevent trusted clients (i.e. browsers implementing the web security model) from being tricked by a malicious site into sending requests to other sites.

If the client is compromised then CORS is useless, the client can send any origin it wants so no matter what is configured the client can send something that would be expected. This type of issue is prevented by requiring authentication.

[sberyozkin]

Re-opening for another round of reviews

[quarkus-bot]

Failing Jobs - Building 2ce7349

Status	Name	Step	Failures	Logs	Raw logs
✔️	JVM Tests - JDK 11
✔️	JVM Tests - JDK 17
✖	JVM Tests - JDK 17 MacOS M1	Set up runner	⚠️ Check →	Logs	Raw logs
✔️	JVM Tests - JDK 18
✔️	Maven Tests - JDK 11
⌛	Maven Tests - JDK 11 Windows	Build	⚠️ Check →	Logs	Raw logs

[maxandersen]

+1 after reviewing and discussion on enabling same origin even when additional hosts specified for cors.

[sberyozkin]

Thanks @stuartwdouglas @maxandersen