KEYCLOAK-5946 Make sure wildcard origin is never returned

2017-11-30 12:10:30 +01:00 · 2017-11-30 12:10:30 +01:00 · c3d9f4704e
commit c3d9f4704e
parent 4541acc628
2 changed files with 2 additions and 6 deletions
--- a/services/src/main/java/org/keycloak/services/resources/Cors.java
+++ b/services/src/main/java/org/keycloak/services/resources/Cors.java
@ -148,11 +148,7 @@ public class Cors {
            return builder.build();
        }

-        if (allowedOrigins != null && allowedOrigins.contains(ACCESS_CONTROL_ALLOW_ORIGIN_WILDCARD)) {
-            builder.header(ACCESS_CONTROL_ALLOW_ORIGIN, ACCESS_CONTROL_ALLOW_ORIGIN_WILDCARD);
-        } else {
-            builder.header(ACCESS_CONTROL_ALLOW_ORIGIN, origin);
-        }
+        builder.header(ACCESS_CONTROL_ALLOW_ORIGIN, origin);

        if (preflight) {
            if (allowedMethods != null) {
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCWellKnownProviderTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCWellKnownProviderTest.java
@ -154,7 +154,7 @@ public class OIDCWellKnownProviderTest extends AbstractKeycloakTest {
        request.header(Cors.ORIGIN_HEADER, "http://somehost");
        Response response = request.get();

-        assertEquals("*", response.getHeaders().getFirst(Cors.ACCESS_CONTROL_ALLOW_ORIGIN));
+        assertEquals("http://somehost", response.getHeaders().getFirst(Cors.ACCESS_CONTROL_ALLOW_ORIGIN));
    }

    private OIDCConfigurationRepresentation getOIDCDiscoveryConfiguration(Client client) {