Skip to content

Commit

Permalink
FIX: Missing Access-Control-Allow-Origin header after CORS preflight …
Browse files Browse the repository at this point in the history 
…request (fixes #116)
  • Loading branch information
@xhanin
xhanin committed Aug 19, 2014
1 parent c4f1fa0 commit bea3aad
Showing 1 changed file with 16 additions and 6 deletions.
22 changes: 16 additions & 6 deletions restx-core/src/main/java/restx/security/CORSFilter.java
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import restx.*; import restx.*;
import restx.factory.Component; import restx.factory.Component;
import restx.http.HttpStatus;


import java.io.IOException; import java.io.IOException;
import java.util.Collection; import java.util.Collection;
Expand All @@ -34,7 +33,7 @@ public CORSFilter(Iterable<CORSAuthorizer> authorizers) {
@Override @Override
public Optional<RestxHandlerMatch> match(RestxRequest req) { public Optional<RestxHandlerMatch> match(RestxRequest req) {
Optional<String> origin = req.getHeader("Origin"); Optional<String> origin = req.getHeader("Origin");
if (origin.isPresent()) { if (origin.isPresent() && !isSameOrigin(req, origin.get()) && !isPreflightRequest(req)) {
CORS cors = CORS.check(authorizers, req, origin.get(), req.getHttpMethod(), req.getRestxPath()); CORS cors = CORS.check(authorizers, req, origin.get(), req.getHttpMethod(), req.getRestxPath());
if (cors.isAccepted()) { if (cors.isAccepted()) {
return Optional.of(new RestxHandlerMatch(new StdRestxRequestMatch("*", req.getRestxPath(), return Optional.of(new RestxHandlerMatch(new StdRestxRequestMatch("*", req.getRestxPath(),
Expand All @@ -54,6 +53,12 @@ public Optional<RestxHandlerMatch> match(RestxRequest req) {
return Optional.absent(); return Optional.absent();
} }


private boolean isPreflightRequest(RestxRequest req) {
return req.getHeader("Origin").isPresent()
&& req.getHeader("Access-Control-Request-Method").isPresent()
&& "OPTIONS".equals(req.getHttpMethod());
}

protected boolean isSimpleCORSRequest(RestxRequest req) { protected boolean isSimpleCORSRequest(RestxRequest req) {
// see https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS // see https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
if (!SIMPLE_METHODS.contains(req.getHttpMethod())) { if (!SIMPLE_METHODS.contains(req.getHttpMethod())) {
Expand All @@ -69,18 +74,23 @@ protected boolean isSimpleCORSRequest(RestxRequest req) {
return false; return false;
} }
} }
return true;

}

private boolean isSameOrigin(RestxRequest req, String origin) {
// same origin check. // same origin check.
// see http://stackoverflow.com/questions/15512331/chrome-adding-origin-header-to-same-origin-request // see http://stackoverflow.com/questions/15512331/chrome-adding-origin-header-to-same-origin-request
Optional<String> host = req.getHeader("Host"); Optional<String> host = req.getHeader("Host");
if (!host.isPresent()) { if (!host.isPresent()) {
// no host header, can't check same origin // no host header, can't check same origin
return true; return false;
} }
if (origin.get().endsWith(host.get())) { if (origin.endsWith(host.get())) {
logger.debug("Same Origin request not considered as CORS Request: {}", req); logger.debug("Same Origin request not considered as CORS Request: {}", req);
return false;
} else {
return true; return true;
} else {
return false;
} }
} }


Expand Down

0 comments on commit bea3aad

Please sign in to comment.