Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http-cors: wildcards do not consider domain separation #1265

Open
marcoreni opened this issue Dec 13, 2024 · 1 comment
Open

http-cors: wildcards do not consider domain separation #1265

marcoreni opened this issue Dec 13, 2024 · 1 comment
Labels
bug

Comments

@marcoreni
Copy link

Describe the bug
When adding an origin with wildcard, it's unclear why domains are not fully matched.

For example, if I add *.foo.com I would expect to match bar.foo.com but also my.bar.foo.com.

Instead, the Regexp used explicitly prevents . inside the wildcard: https://github.com/middyjs/middy/blob/main/packages/http-cors/index.js#L70C5-L70C77

This is not documented.

Expected behaviour

  1. Document this behavior
    OR
  2. Extend the regexp to include .

Additional context
Add any other context about the problem here.
@marcoreni marcoreni added the bug label Dec 13, 2024
@willfarrell
Copy link
Member

This is actually by design as a security feature. This allows you more control over what you whitelist. You should be able to add *.foo.com and *.*.foo.com.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
2 participants
@willfarrell @marcoreni