https://kotlinlang.org logo
#ktor
Title
# ktor
j

Jørund Amsen

12/02/2019, 12:32 PM
So I can't seem to get
Copy code
install(CORS){
   host("*.<http://somedomain.com|somedomain.com>")
}
to work, does it not support the
*.
notation?
You are absolutely correct, that was just me typing it 😉
j

Jonathan Mew

12/02/2019, 12:37 PM
cool, removed my now unhelpful comments 🙂
❤️ 1
Does the server start up okay? Can you inspect the requests that you send in your browser okay?
j

Jørund Amsen

12/02/2019, 12:42 PM
The server starts up, anything in the requests that could be useful?
j

Jonathan Mew

12/02/2019, 12:52 PM
Actually, looking at the code, it doesn't appear to support the *.domain structure. You can give a list of subdomains, but not a wildcarded parent domain.
j

Jørund Amsen

12/02/2019, 12:53 PM
Yeah, I seemed to notice the same looking through the code and the tests for it...
I thought this was pretty standard
Can you see if the subdomains perhaps support
*
?
j

Jonathan Mew

12/02/2019, 12:55 PM
from CORS.kt
Copy code
private fun corsCheckOrigins(origin: String): Boolean {
        return allowsAnyHost || normalizeOrigin(origin) in hostsNormalized
    }
Any subdomains are all normalized and added to the
hostsNormalized: HashSet<String>
and that needs to actually contain the request origin according to corsCheckOrigins, so doesn't look like it
Consistent with the spec - maybe there are good security reasons not to allow wildcards https://tools.ietf.org/html/rfc6454#section-7.1
j

Jørund Amsen

12/02/2019, 1:25 PM
Oh, that's interesting. I feel like I've always used wildcards for subdomains. This is problematic
2 Views