Permalink
Browse files

FIX: Missing Access-Control-Allow-Origin header after CORS preflight …

…request (fixes #116)
  • Loading branch information...
xhanin committed Aug 19, 2014
1 parent c4f1fa0 commit bea3aad4d74a4fb2461e39c75df2b188c19749e0
Showing with 16 additions and 6 deletions.
  1. +16 −6 restx-core/src/main/java/restx/security/CORSFilter.java
@@ -7,7 +7,6 @@
import org.slf4j.LoggerFactory;
import restx.*;
import restx.factory.Component;
-import restx.http.HttpStatus;
import java.io.IOException;
import java.util.Collection;
@@ -34,7 +33,7 @@ public CORSFilter(Iterable<CORSAuthorizer> authorizers) {
@Override
public Optional<RestxHandlerMatch> match(RestxRequest req) {
Optional<String> origin = req.getHeader("Origin");
- if (origin.isPresent()) {
+ if (origin.isPresent() && !isSameOrigin(req, origin.get()) && !isPreflightRequest(req)) {
CORS cors = CORS.check(authorizers, req, origin.get(), req.getHttpMethod(), req.getRestxPath());
if (cors.isAccepted()) {
return Optional.of(new RestxHandlerMatch(new StdRestxRequestMatch("*", req.getRestxPath(),
@@ -54,6 +53,12 @@ public CORSFilter(Iterable<CORSAuthorizer> authorizers) {
return Optional.absent();
}
+ private boolean isPreflightRequest(RestxRequest req) {
+ return req.getHeader("Origin").isPresent()
+ && req.getHeader("Access-Control-Request-Method").isPresent()
+ && "OPTIONS".equals(req.getHttpMethod());
+ }
+
protected boolean isSimpleCORSRequest(RestxRequest req) {
// see https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
if (!SIMPLE_METHODS.contains(req.getHttpMethod())) {
@@ -69,18 +74,23 @@ protected boolean isSimpleCORSRequest(RestxRequest req) {
return false;
}
}
+ return true;
+
+ }
+
+ private boolean isSameOrigin(RestxRequest req, String origin) {
// same origin check.
// see http://stackoverflow.com/questions/15512331/chrome-adding-origin-header-to-same-origin-request
Optional<String> host = req.getHeader("Host");
if (!host.isPresent()) {
// no host header, can't check same origin
- return true;
+ return false;
}
- if (origin.get().endsWith(host.get())) {
+ if (origin.endsWith(host.get())) {
logger.debug("Same Origin request not considered as CORS Request: {}", req);
- return false;
- } else {
return true;
+ } else {
+ return false;
}
}

0 comments on commit bea3aad

Please sign in to comment.