Skip to content

Commit 4ee736f

Browse files
m0verm0ver
committed
Correct the CORS policy headers.
1 parent 62b0b3d commit 4ee736f

1 file changed

Lines changed: 19 additions & 16 deletions

File tree

src/main/java/org/tinystruct/handler/HttpRequestHandler.java

Lines changed: 19 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -61,22 +61,27 @@ public HttpRequestHandler(Configuration<String> configuration) {
6161

6262
@Override
6363
protected void channelRead0(ChannelHandlerContext ctx, FullHttpRequest original) {
64+
String origin = original.headers().get(HttpHeaderNames.ORIGIN);
65+
// Allow origins: prefer explicit setting, otherwise echo Origin or wildcard
66+
String allowOrigin = configuration.getOrDefault("cors.allowed.origins", origin != null ? origin : "*");
67+
FullHttpResponse response = new DefaultFullHttpResponse(HTTP_1_1, OK);
68+
response.headers().set(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN, allowOrigin);
69+
// Make responses vary by Origin when echoing it
70+
if (origin != null) {
71+
response.headers().set(HttpHeaderNames.VARY, "Origin");
72+
}
73+
74+
// Allow credentials if explicitly enabled in settings
75+
if ("true".equalsIgnoreCase(configuration.get("cors.allow.credentials"))) {
76+
response.headers().set(HttpHeaderNames.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
77+
}
78+
6479
// Handle CORS preflight (OPTIONS) requests up-front: these have no body.
6580
if (original.method() == HttpMethod.OPTIONS) {
6681
// CORS preflight handling with configurability
67-
String origin = original.headers().get(HttpHeaderNames.ORIGIN);
6882
String acrMethod = original.headers().get(HttpHeaderNames.ACCESS_CONTROL_REQUEST_METHOD);
6983
String acrHeaders = original.headers().get(HttpHeaderNames.ACCESS_CONTROL_REQUEST_HEADERS);
7084

71-
// Allow origins: prefer explicit setting, otherwise echo Origin or wildcard
72-
String allowOrigin = configuration.getOrDefault("cors.allowed.origins", origin != null ? origin : "*");
73-
FullHttpResponse response = new DefaultFullHttpResponse(HTTP_1_1, OK);
74-
response.headers().set(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN, allowOrigin);
75-
// Make responses vary by Origin when echoing it
76-
if (origin != null) {
77-
response.headers().set(HttpHeaderNames.VARY, "Origin");
78-
}
79-
8085
// Allow methods: prefer configured list, otherwise echo requested or use sensible defaults
8186
String allowMethods = configuration.getOrDefault("cors.allowed.methods", acrMethod != null ? acrMethod : "GET,POST,PUT,DELETE,OPTIONS");
8287
response.headers().set(HttpHeaderNames.ACCESS_CONTROL_ALLOW_METHODS, allowMethods);
@@ -85,19 +90,17 @@ protected void channelRead0(ChannelHandlerContext ctx, FullHttpRequest original)
8590
String allowHeaders = configuration.getOrDefault("cors.allowed.headers", acrHeaders != null ? acrHeaders : "Content-Type,Authorization");
8691
response.headers().set(HttpHeaderNames.ACCESS_CONTROL_ALLOW_HEADERS, allowHeaders);
8792

88-
// Allow credentials if explicitly enabled in settings
89-
if ("true".equalsIgnoreCase(configuration.get("cors.allow.credentials"))) {
90-
response.headers().set(HttpHeaderNames.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
91-
}
92-
9393
// Cache the preflight response for a configurable duration (seconds)
9494
String maxAge = configuration.getOrDefault("cors.preflight.maxage", "3600");
9595
response.headers().set(HttpHeaderNames.ACCESS_CONTROL_MAX_AGE, maxAge);
9696

97-
response.headers().set(HttpHeaderNames.CONTENT_LENGTH, 0);
97+
response.headers().set(HttpHeaderNames.CONTENT_LENGTH, -1);
9898
ctx.writeAndFlush(response).addListener(ChannelFutureListener.CLOSE);
9999
return;
100100
}
101+
102+
ctx.writeAndFlush(response);
103+
101104
// Decide whether to close the connection or not.
102105
boolean keepAlive = HttpUtil.isKeepAlive(original);
103106
boolean ssl = Boolean.parseBoolean(configuration.getOrDefault("ssl.enabled", "false"));

0 commit comments

Comments
 (0)