CorsConfiguration ignores trailing "/" in pattern
Recent commit dddcc5e9ad ensured a
trailing "/" in the Origin header has no effect. This commit does the
same for a trailing "/" in configured patterns.
See gh-26892
This commit is contained in:
@@ -282,17 +282,25 @@ public class CorsConfigurationTests {
|
||||
|
||||
@Test
|
||||
public void checkOriginAllowed() {
|
||||
// "*" matches
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
config.addAllowedOrigin("*");
|
||||
assertThat(config.checkOrigin("https://domain.com")).isEqualTo("*");
|
||||
|
||||
// "*" does not match together with allowCredentials
|
||||
config.setAllowCredentials(true);
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> config.checkOrigin("https://domain.com"));
|
||||
|
||||
// specific origin matches Origin header with or without trailing "/"
|
||||
config.setAllowedOrigins(Collections.singletonList("https://domain.com"));
|
||||
assertThat(config.checkOrigin("https://domain.com")).isEqualTo("https://domain.com");
|
||||
assertThat(config.checkOrigin("https://domain.com/")).isEqualTo("https://domain.com");
|
||||
|
||||
// specific origin with trailing "/" matches Origin header with or without trailing "/"
|
||||
config.setAllowedOrigins(Collections.singletonList("https://domain.com/"));
|
||||
assertThat(config.checkOrigin("https://domain.com")).isEqualTo("https://domain.com");
|
||||
assertThat(config.checkOrigin("https://domain.com/")).isEqualTo("https://domain.com");
|
||||
|
||||
config.setAllowCredentials(false);
|
||||
assertThat(config.checkOrigin("https://domain.com")).isEqualTo("https://domain.com");
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user