fix corsOrigin wildcard handling regression in Sourcegraph 3.3.8 (!4785) · Merge requests · Warren Gifford / sourcegraph

Warren Gifford requested to merge sg/fix-cors into master Jul 03, 2019

Created by: slimsag

Prior to 34caedf364b18559ce62f7cba036d6cd890de179 it was the case that:

"corsOrigin": "*"
Request header: Origin: *

or:

"corsOrigin": "*"
Request header: Origin: https://www.google.com

Would always respond with:

Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * ...

However, that change introduced a regression breaking anyone relying on that behavior, for example in the context of making API requests from a web browser or other API client that respects CORS when Sourcegraph is deployed behind a corporate VPN. The wildcard was no longer respected.

This PR fixes this appropriately by ensuring that when those two requests are made we correctly respond the following (for each request, respectively):

Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * ...

Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://www.google.com ...

Which is the correct and logical way to respect wildcard CORS origins.

Fixes #4424 (closed)

Test plan:

fix corsOrigin wildcard handling regression in Sourcegraph 3.3.8

Merge request reports