fix(cors): treat empty Origin header same as missing header #14368
Conversation
team-eng-enablement
added
the
author/community
| @@ -89,7 +89,7 @@ local function configure_origin(conf, header_filter, req_origin) | |||
| end | |||
| end | |||
|
|
|||
| if req_origin then | |||
| if req_origin and req_origin ~= "" then | |||
There was a problem hiding this comment.
Perhaps this way it's simpler?
| if req_origin and req_origin ~= "" then | |
| if req_origin == "" then | |
| req_origin = nil | |
| end | |
| if req_origin then |
There was a problem hiding this comment.
Hi @StarlightIbuki ,
Thanks a lot for reviewing this PR and for your suggestion!
I agree, your proposed change does make the conditional logic simpler and the code cleaner. That's a good direction.
One minor point I noticed is that this approach would convert an empty string req_origin ("") into nil. While this doesn't have a functional impact on the current plugin's behavior, it does lead to a subtle loss of information by removing the distinction between an explicitly empty origin and a non-existent one (nil).
Inspired by your comment aiming for simplification, what do you think about encapsulating this check into a small helper function instead? This way, we can keep the main logic clean while preserving the original values.
Something like this:
local function is_valid_origin(origin)
return origin and origin ~= ""
end
We could then use if is_valid_origin(req_origin) then ... in the configure_origin function.
Let me know your thoughts! Thanks again for the feedback.
Summary
This change ensures that an empty Origin header (
Origin: "") is treatedthe same way as a missing Origin header, fixing inconsistent behavior
between these two cases.
Checklist
changelog/unreleased/kongorskip-changeloglabel added on PR if changelog is unnecessary. README.mdIssue reference
Fix #14352