Revert "KTOR-2872 Add check to prevent anyHost with allowCredentials (#2536)" (#2896)

hfhbd · web-flow · commit f9d843517e5e · 2022-03-14T13:55:09.000+01:00
This reverts commit a82e199. Co-authored-by: hfhbd <hfhbd@users.noreply.github.com>
diff --git a/ktor-server/ktor-server-core/jvm/src/io/ktor/features/CORS.kt b/ktor-server/ktor-server-core/jvm/src/io/ktor/features/CORS.kt
@@ -93,15 +93,6 @@ public class CORS(configuration: Configuration) {
                 }
         )
 
-    init {
-        if (configuration.allowCredentials) {
-            require(!allowsAnyHost) {
-                "AnyHost * is not allowed in combination with Allow-Credentials, see " +
-                    "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials."
-            }
-        }
-    }
-
     /**
      * Feature's call interceptor that does all the job. Usually there is no need to install it as it is done during
      * feature installation
@@ -116,8 +107,7 @@ public class CORS(configuration: Configuration) {
         val origin = call.request.headers.getAll(HttpHeaders.Origin)?.singleOrNull() ?: return
 
         when (checkOrigin(origin, call.request.origin)) {
-            OriginCheckResult.OK -> {
-            }
+            OriginCheckResult.OK -> {}
             OriginCheckResult.SkipCORS -> return
             OriginCheckResult.Failed -> {
                 context.respondCorsFailed()
@@ -193,7 +183,7 @@ public class CORS(configuration: Configuration) {
     }
 
     private fun ApplicationCall.accessControlAllowOrigin(origin: String) {
-        if (allowsAnyHost) {
+        if (allowsAnyHost && !allowCredentials) {
             response.header(HttpHeaders.AccessControlAllowOrigin, "*")
         } else {
             response.header(HttpHeaders.AccessControlAllowOrigin, origin)
diff --git a/ktor-server/ktor-server-core/jvm/test/io/ktor/tests/features/CORSTest.kt b/ktor-server/ktor-server-core/jvm/test/io/ktor/tests/features/CORSTest.kt
@@ -11,17 +11,6 @@ import kotlin.test.*
 
 class CORSTest {
 
-    @Test
-    fun anyHostWithAllowCredentialsShouldFail() {
-        val config = CORS.Configuration().apply {
-            allowCredentials = true
-            anyHost()
-        }
-        assertFailsWith<IllegalArgumentException> {
-            CORS(config)
-        }
-    }
-
     @Test
     fun originValidation() {
         val feature = CORS(
diff --git a/ktor-server/ktor-server-tests/jvm/test/io/ktor/tests/server/features/CORSTest.kt b/ktor-server/ktor-server-tests/jvm/test/io/ktor/tests/server/features/CORSTest.kt
@@ -20,6 +20,7 @@ class CORSTest {
         withTestApplication {
             application.install(CORS) {
                 anyHost()
+                allowCredentials = true
             }
 
             application.routing {
@@ -41,6 +42,7 @@ class CORSTest {
         withTestApplication {
             application.install(CORS) {
                 anyHost()
+                allowCredentials = true
             }
 
             application.routing {
@@ -64,6 +66,7 @@ class CORSTest {
         withTestApplication {
             application.install(CORS) {
                 anyHost()
+                allowCredentials = true
             }
 
             application.routing {
@@ -303,6 +306,32 @@ class CORSTest {
         }
     }
 
+    @Test
+    fun testSimpleStarCredentials() {
+        withTestApplication {
+            application.install(CORS) {
+                anyHost()
+                allowCredentials = true
+            }
+
+            application.routing {
+                get("/") {
+                    call.respond("OK")
+                }
+            }
+
+            handleRequest(HttpMethod.Get, "/") {
+                addHeader(HttpHeaders.Origin, "http://my-host")
+            }.let { call ->
+                assertEquals(HttpStatusCode.OK, call.response.status())
+                assertEquals("http://my-host", call.response.headers[HttpHeaders.AccessControlAllowOrigin])
+                assertEquals("true", call.response.headers[HttpHeaders.AccessControlAllowCredentials])
+                assertEquals(HttpHeaders.Origin, call.response.headers[HttpHeaders.Vary])
+                assertEquals("OK", call.response.content)
+            }
+        }
+    }
+
     @Test
     fun testSimpleNull() {
         withTestApplication {
@@ -326,6 +355,30 @@ class CORSTest {
         }
     }
 
+    @Test
+    fun testSimpleNullAllowCredentials() {
+        withTestApplication {
+            application.install(CORS) {
+                anyHost()
+                allowCredentials = true
+            }
+
+            application.routing {
+                get("/") {
+                    call.respond("OK")
+                }
+            }
+
+            handleRequest(HttpMethod.Get, "/") {
+                addHeader(HttpHeaders.Origin, "null")
+            }.let { call ->
+                assertEquals(HttpStatusCode.OK, call.response.status())
+                assertEquals("null", call.response.headers[HttpHeaders.AccessControlAllowOrigin])
+                assertEquals("OK", call.response.content)
+            }
+        }
+    }
+
     @Test
     fun testSameOriginEnabled() {
         withTestApplication {
@@ -397,6 +450,7 @@ class CORSTest {
         withTestApplication {
             application.install(CORS) {
                 anyHost()
+                allowCredentials = true
             }
 
             application.routing {
