Skip to content
Permalink
Browse files

FIX: Missing Access-Control-Allow-Origin header after CORS preflight …

…request (fixes #116)
  • Loading branch information
xhanin committed Aug 19, 2014
1 parent c4f1fa0 commit bea3aad4d74a4fb2461e39c75df2b188c19749e0
Showing with 16 additions and 6 deletions.
  1. +16 −6 restx-core/src/main/java/restx/security/CORSFilter.java
@@ -7,7 +7,6 @@
import org.slf4j.LoggerFactory;
import restx.*;
import restx.factory.Component;
import restx.http.HttpStatus;

import java.io.IOException;
import java.util.Collection;
@@ -34,7 +33,7 @@ public CORSFilter(Iterable<CORSAuthorizer> authorizers) {
@Override
public Optional<RestxHandlerMatch> match(RestxRequest req) {
Optional<String> origin = req.getHeader("Origin");
if (origin.isPresent()) {
if (origin.isPresent() && !isSameOrigin(req, origin.get()) && !isPreflightRequest(req)) {
CORS cors = CORS.check(authorizers, req, origin.get(), req.getHttpMethod(), req.getRestxPath());
if (cors.isAccepted()) {
return Optional.of(new RestxHandlerMatch(new StdRestxRequestMatch("*", req.getRestxPath(),
@@ -54,6 +53,12 @@ public CORSFilter(Iterable<CORSAuthorizer> authorizers) {
return Optional.absent();
}

private boolean isPreflightRequest(RestxRequest req) {
return req.getHeader("Origin").isPresent()
&& req.getHeader("Access-Control-Request-Method").isPresent()
&& "OPTIONS".equals(req.getHttpMethod());
}

protected boolean isSimpleCORSRequest(RestxRequest req) {
// see https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
if (!SIMPLE_METHODS.contains(req.getHttpMethod())) {
@@ -69,18 +74,23 @@ protected boolean isSimpleCORSRequest(RestxRequest req) {
return false;
}
}
return true;

}

private boolean isSameOrigin(RestxRequest req, String origin) {
// same origin check.
// see http://stackoverflow.com/questions/15512331/chrome-adding-origin-header-to-same-origin-request
Optional<String> host = req.getHeader("Host");
if (!host.isPresent()) {
// no host header, can't check same origin
return true;
return false;
}
if (origin.get().endsWith(host.get())) {
if (origin.endsWith(host.get())) {
logger.debug("Same Origin request not considered as CORS Request: {}", req);
return false;
} else {
return true;
} else {
return false;
}
}

0 comments on commit bea3aad

Please sign in to comment.
You can’t perform that action at this time.