Do not use wildcard in OCAO header

samie · Jul 25, 2024 · 508d45f · 508d45f
1 parent 62d8b6c
commit 508d45f
Showing 1 changed file with 22 additions and 26 deletions.
diff --git a/src/main/java/com/example/application/CORSFilter.java b/src/main/java/com/example/application/CORSFilter.java
@@ -13,38 +13,34 @@
 @WebFilter(filterName = "Vaadin CORS Filter", asyncSupported = true, urlPatterns = "/*")
 public class CORSFilter extends HttpFilter {
 
+    private String allowedOrigins = "https://samie.github.io";
 
-        static {
-            System.out.println("LOAD");
-        }
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+    }
 
-        @Override
-        public void init(FilterConfig filterConfig) throws ServletException {
-            System.out.println("REGISTER");
+    @Override
+    public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {
+        String origin = request.getHeader("Origin");
+        if (isOrginAllowed(origin)) {
+            response.setHeader("Access-Control-Allow-Origin", allowedOrigins);
+            response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+            response.setHeader("Access-Control-Allow-Headers", "Content-Type");
         }
 
-        @Override
-        public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {
-            String origin = request.getHeader("Origin");
-            if (isOrginAllowed(origin)) {
-                response.setHeader("Access-Control-Allow-Origin", "*");
-                response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
-                response.setHeader("Access-Control-Allow-Headers", "Content-Type");
-            }
-
-            if ("options".equalsIgnoreCase(request.getMethod())) {
-                response.addHeader("Access-Control-Allow-Methods", "GET, POST");
-                response.addHeader("Access-Control-Allow-Headers", "content-type");
-                response.getWriter().flush();
-                return;
-            }
-            filterChain.doFilter(request, response);
-
+        if ("options".equalsIgnoreCase(request.getMethod())) {
+            response.addHeader("Access-Control-Allow-Methods", "GET, POST");
+            response.addHeader("Access-Control-Allow-Headers", "content-type");
+            response.getWriter().flush();
+            return;
         }
+        filterChain.doFilter(request, response);
 
-        private boolean isOrginAllowed(String origin) {
-            return true;
-        }
+    }
+
+    private boolean isOrginAllowed(String origin) {
+        return origin != null && allowedOrigins.contains(origin);
+    }
 
     @Configuration
     public static class SpringBootSupport {