Merge pull request #523 from walmartlabs/user/eran

Set CORS origin header to incoming request origin if allowed
hapijs · Feb 11, 2013 · 7186b3d · 7186b3d
2 parents 703b7f4 + 3fd79f7
commit 7186b3d
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 12 deletions.
diff --git a/lib/response/headers.js b/lib/response/headers.js
@@ -37,15 +37,33 @@ exports.cache = function (response, request) {
 
 exports.cors = function (response, request) {
 
-    if (request.server.settings.cors) {
-        response.header('Access-Control-Allow-Origin', request.server.settings.cors._origin);
-        response.header('Access-Control-Max-Age', request.server.settings.cors.maxAge);
-        response.header('Access-Control-Allow-Methods', request.server.settings.cors._methods);
-        response.header('Access-Control-Allow-Headers', request.server.settings.cors._headers);
-
-        if (request.server.settings.cors.credentials) {
-            response.header('Access-Control-Allow-Credentials', 'true');
+    if (!request.server.settings.cors) {
+        return;
+    }
+
+    if (request.server.settings.cors.origin &&
+        request.server.settings.cors.origin.length) {
+
+        var allowOrigin = request.server.settings.cors.origin;
+        var origin = request.raw.req.headers.origin;
+        if (origin &&
+            (allowOrigin.indexOf(origin) !== -1 || allowOrigin.indexOf('*') !== -1)) {
+
+            allowOrigin = origin;
+        }
+        else {
+            allowOrigin = allowOrigin.join(' ');
         }
+
+        response.header('Access-Control-Allow-Origin', allowOrigin);
+    }
+
+    response.header('Access-Control-Max-Age', request.server.settings.cors.maxAge);
+    response.header('Access-Control-Allow-Methods', request.server.settings.cors._methods);
+    response.header('Access-Control-Allow-Headers', request.server.settings.cors._headers);
+
+    if (request.server.settings.cors.credentials) {
+        response.header('Access-Control-Allow-Credentials', 'true');
     }
 };
 

diff --git a/lib/server.js b/lib/server.js
@@ -150,7 +150,6 @@ module.exports = internals.Server = function (/* host, port, options */) {
     // Generate CORS headers
 
     if (this.settings.cors) {
-        this.settings.cors._origin = (this.settings.cors.origin || []).join(' ');
         this.settings.cors._headers = (this.settings.cors.headers || []).concat(this.settings.cors.additionalHeaders || []).join(', ');
         this.settings.cors._methods = (this.settings.cors.methods || []).concat(this.settings.cors.additionalMethods || []).join(', ');
 

diff --git a/test/integration/response.js b/test/integration/response.js
@@ -41,7 +41,7 @@ describe('Response', function () {
                 this.reply('Tada');
             };
 
-            var server = new Hapi.Server({ cache: { engine: 'memory' }, cors: { origin: ['test.example.com'] } });
+            var server = new Hapi.Server({ cache: { engine: 'memory' }, cors: { origin: ['test.example.com', 'www.example.com'] } });
             server.route({ method: 'GET', path: '/', config: { handler: handler, cache: { mode: 'client', expiresIn: 9999 } } });
             server.route({ method: 'GET', path: '/bound', config: { handler: handlerBound } });
             server.state('sid', { encoding: 'base64' });
@@ -57,14 +57,15 @@ describe('Response', function () {
                 expect(res.result).to.exist;
                 expect(res.result).to.equal('text');
                 expect(res.headers['Cache-Control']).to.equal('max-age=1, must-revalidate');
-                expect(res.headers['Access-Control-Allow-Origin']).to.equal('test.example.com');
+                expect(res.headers['Access-Control-Allow-Origin']).to.equal('test.example.com www.example.com');
                 expect(res.headers['Access-Control-Allow-Credentials']).to.not.exist;
                 expect(res.headers['Set-Cookie']).to.deep.equal(['sid=YWJjZGVmZzEyMzQ1Ng==', 'other=something; Secure', 'x=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT', "test=123", "empty=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT"]);
 
-                server.inject({ method: 'GET', url: '/bound' }, function (res) {
+                server.inject({ method: 'GET', url: '/bound', headers: { origin: 'www.example.com' } }, function (res) {
 
                     expect(res.result).to.exist;
                     expect(res.result).to.equal('Tada');
+                    expect(res.headers['Access-Control-Allow-Origin']).to.equal('www.example.com');
                     done();
                 });
             });