Add Access-Control-Request-Method check for CORS preflight requests

sdeleuze · sdeleuze · commit 8ee0e78980de · 2015-07-07T09:34:39.000+02:00
Issue: SPR-13193
diff --git a/spring-web/src/main/java/org/springframework/web/cors/CorsUtils.java b/spring-web/src/main/java/org/springframework/web/cors/CorsUtils.java
@@ -41,7 +41,8 @@ public static boolean isCorsRequest(HttpServletRequest request) {
 	 * Returns {@code true} if the request is a valid CORS pre-flight one.
 	 */
 	public static boolean isPreFlightRequest(HttpServletRequest request) {
-		return (isCorsRequest(request) && request.getMethod().equals(HttpMethod.OPTIONS.name()));
+		return (isCorsRequest(request) && request.getMethod().equals(HttpMethod.OPTIONS.name())
+				&& request.getHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD) != null);
 	}
 
 }
diff --git a/spring-web/src/test/java/org/springframework/web/cors/CorsUtilsTests.java b/spring-web/src/test/java/org/springframework/web/cors/CorsUtilsTests.java
@@ -21,6 +21,7 @@
 import org.junit.Test;
 
 import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
 import org.springframework.mock.web.test.MockHttpServletRequest;
 
 /**
@@ -46,7 +47,7 @@ public void isNotCorsRequest() {
 	@Test
 	public void isPreFlightRequest() {
 		MockHttpServletRequest request = new MockHttpServletRequest();
-		request.setMethod("OPTIONS");
+		request.setMethod(HttpMethod.OPTIONS.name());
 		request.addHeader(HttpHeaders.ORIGIN, "http://domain.com");
 		request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		assertTrue(CorsUtils.isPreFlightRequest(request));
@@ -58,10 +59,12 @@ public void isNotPreFlightRequest() {
 		assertFalse(CorsUtils.isPreFlightRequest(request));
 
 		request = new MockHttpServletRequest();
+		request.setMethod(HttpMethod.OPTIONS.name());
 		request.addHeader(HttpHeaders.ORIGIN, "http://domain.com");
 		assertFalse(CorsUtils.isPreFlightRequest(request));
 
 		request = new MockHttpServletRequest();
+		request.setMethod(HttpMethod.OPTIONS.name());
 		request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		assertFalse(CorsUtils.isPreFlightRequest(request));
 	}
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/FrameworkServlet.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/FrameworkServlet.java
@@ -61,6 +61,7 @@
 import org.springframework.web.context.support.ServletRequestHandledEvent;
 import org.springframework.web.context.support.WebApplicationContextUtils;
 import org.springframework.web.context.support.XmlWebApplicationContext;
+import org.springframework.web.cors.CorsUtils;
 import org.springframework.web.util.NestedServletException;
 import org.springframework.web.util.WebUtils;
 
@@ -903,7 +904,7 @@ protected final void doDelete(HttpServletRequest request, HttpServletResponse re
 	protected void doOptions(HttpServletRequest request, HttpServletResponse response)
 			throws ServletException, IOException {
 
-		if (this.dispatchOptionsRequest || request.getHeader("Origin") != null) {
+		if (this.dispatchOptionsRequest || CorsUtils.isPreFlightRequest(request)) {
 			processRequest(request, response);
 			if (response.containsHeader("Allow")) {
 				// Proper OPTIONS response coming from a handler - we're done.

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,8 @@ public static boolean isCorsRequest(HttpServletRequest request) {`
`41`	`41`	`* Returns {@code true} if the request is a valid CORS pre-flight one.`
`42`	`42`	`*/`
`43`	`43`	`public static boolean isPreFlightRequest(HttpServletRequest request) {`
`44`		`- return (isCorsRequest(request) && request.getMethod().equals(HttpMethod.OPTIONS.name()));`
	`44`	`+ return (isCorsRequest(request) && request.getMethod().equals(HttpMethod.OPTIONS.name())`
	`45`	`+ && request.getHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD) != null);`
`45`	`46`	`}`
`46`	`47`
`47`	`48`	`}`