jamesdixon
diff --git a/‎API.md
Lines changed: 0 additions & 10 deletions b/‎API.md
Lines changed: 0 additions & 10 deletions
diff --git a/‎lib/cors.js
Lines changed: 75 additions & 90 deletions b/‎lib/cors.js
Lines changed: 75 additions & 90 deletions
diff --git a/‎lib/defaults.js
Lines changed: 1 addition & 4 deletions b/‎lib/defaults.js
Lines changed: 1 addition & 4 deletions
diff --git a/‎lib/schema.js
Lines changed: 2 additions & 5 deletions b/‎lib/schema.js
Lines changed: 2 additions & 5 deletions
@@ -2143,13 +2143,6 @@ following options:
       The array can contain any combination of fully qualified origins along with origin
       strings containing a wildcard '*' character, or a single `'*'` origin string. Defaults
       to any origin `['*']`.
-    - `matchOrigin` - if `true`, matches the value of the incoming 'Origin' header to the
-      list of `origin` values ('*' matches anything) and if a match is found, uses that as
-      the value of the 'Access-Control-Allow-Origin' response header. When false, the
-      `origin` config is returned as-is. Defaults to `true`.
-    - `isOriginExposed` - if `false`, prevents the connection from returning the full list
-      of non-wildcard `origin` values if the incoming origin header does not match any of
-      the values. Has no impact if `matchOrigin` is set to `false`. Defaults to `true`.
     - `maxAge` - number of seconds the browser should cache the CORS response
       ('Access-Control-Max-Age'). The greater the value, the longer it will take before the
       browser checks for changes in policy. Defaults to `86400` (one day).
@@ -2164,9 +2157,6 @@ following options:
       `exposedHeaders`. Use this to keep the default headers in place.
     - `credentials` - if `true`, allows user credentials to be sent
       ('Access-Control-Allow-Credentials'). Defaults to `false`.
-    - `override` - if `false`, preserves existing CORS headers set manually before the
-      response is sent. If set to `'merge'`, appends the configured values to the manually set
-      headers (applies only to Access-Control-Expose-Headers). Defaults to `true`.
 
 - `ext` - defined a route-level [request extension points](#request-lifecycle) by setting
   the option to an object with a key for each of the desired extension points (`'onRequest'`
 
@@ -22,105 +22,28 @@ exports.route = function (options) {
     settings._headersString = settings._headers.join(',');
     settings._exposedHeaders = settings.exposedHeaders.concat(settings.additionalExposedHeaders).join(',');
 
-    if (settings.origin.length) {
+    if (settings.origin.indexOf('*') !== -1) {
+        Hoek.assert(settings.origin.length === 1, 'Cannot specify cors.origin * together with other values');
+        settings._origin = true;
+    }
+    else {
         settings._origin = {
-            any: false,
             qualified: [],
-            qualifiedString: '',
             wildcards: []
         };
 
-        if (settings.origin.indexOf('*') !== -1) {
-            Hoek.assert(settings.origin.length === 1, 'Cannot specify cors.origin * together with other values');
-            settings._origin.any = true;
-        }
-        else {
-            for (var c = 0, cl = settings.origin.length; c < cl; ++c) {
-                var origin = settings.origin[c];
-                if (origin.indexOf('*') !== -1) {
-                    settings._origin.wildcards.push(new RegExp('^' + Hoek.escapeRegex(origin).replace(/\\\*/g, '.*').replace(/\\\?/g, '.') + '$'));
-                }
-                else {
-                    settings._origin.qualified.push(origin);
-                }
+        for (var c = 0, cl = settings.origin.length; c < cl; ++c) {
+            var origin = settings.origin[c];
+            if (origin.indexOf('*') !== -1) {
+                settings._origin.wildcards.push(new RegExp('^' + Hoek.escapeRegex(origin).replace(/\\\*/g, '.*').replace(/\\\?/g, '.') + '$'));
             }
-
-            Hoek.assert(settings.matchOrigin || !settings._origin.wildcards.length, 'Cannot include wildcard origin values with matchOrigin disabled');
-            settings._origin.qualifiedString = settings._origin.qualified.join(' ');
-        }
-    }
-
-    return settings;
-};
-
-
-exports.headers = function (response, options) {
-
-    var request = response.request;
-    var settings = options || request.route.settings.cors;
-    if (!settings) {
-        return;
-    }
-
-    if (settings._origin &&
-        (!response.headers['access-control-allow-origin'] || settings.override)) {
-
-        if (settings.matchOrigin) {
-            response.vary('origin');
-            if (internals.matchOrigin(request.headers.origin, settings)) {
-                response._header('access-control-allow-origin', request.headers.origin);
-            }
-            else if (settings.isOriginExposed) {
-                response._header('access-control-allow-origin', settings._origin.any ? '*' : settings._origin.qualifiedString);
+            else {
+                settings._origin.qualified.push(origin);
             }
         }
-        else if (settings._origin.any) {
-            response._header('access-control-allow-origin', '*');
-        }
-        else {
-            response._header('access-control-allow-origin', settings._origin.qualifiedString);
-        }
-    }
-
-    var config = { override: !!settings.override };                                                         // Value can be 'merge'
-
-    if (settings.credentials) {
-        response._header('access-control-allow-credentials', 'true', { override: settings.override });
-    }
-
-    // Appended headers
-
-    if (settings.override === 'merge') {
-        config.append = true;
-    }
-
-    if (settings._exposedHeaders.length !== 0) {
-        response._header('access-control-expose-headers', settings._exposedHeaders, config);
-    }
-};
-
-
-internals.matchOrigin = function (origin, settings) {
-
-    if (!origin) {
-        return false;
-    }
-
-    if (settings._origin.any) {
-        return true;
-    }
-
-    if (settings._origin.qualified.indexOf(origin) !== -1) {
-        return true;
-    }
-
-    for (var i = 0, il = settings._origin.wildcards.length; i < il; ++i) {
-        if (origin.match(settings._origin.wildcards[i])) {
-            return true;
-        }
     }
 
-    return false;
+    return settings;
 };
 
 
@@ -184,6 +107,12 @@ internals.handler = function (request, reply) {
         return reply(Boom.notFound());
     }
 
+    // Validate Origin header
+
+    if (!internals.matchOrigin(origin, settings)) {
+        return reply(Boom.notFound());
+    }
+
     // Validate allowed headers
 
     var headers = request.headers['access-control-request-headers'];
@@ -197,8 +126,64 @@ internals.handler = function (request, reply) {
     // Reply with the route CORS headers
 
     var response = reply();
-    exports.headers(response, settings);
+    response._header('access-control-allow-origin', request.headers.origin);
     response._header('access-control-allow-methods', method);
     response._header('access-control-allow-headers', settings._headersString);
     response._header('access-control-max-age', settings.maxAge);
+
+    if (settings.credentials) {
+        response._header('access-control-allow-credentials', 'true');
+    }
+
+    if (settings._exposedHeaders) {
+        response._header('access-control-expose-headers', settings._exposedHeaders);
+    }
+};
+
+
+exports.headers = function (response) {
+
+    var request = response.request;
+    var settings = request.route.settings.cors;
+    if (!settings) {
+        return;
+    }
+
+    response.vary('origin');
+
+    if (!request.headers.origin ||
+        !internals.matchOrigin(request.headers.origin, settings)) {
+
+        return;
+    }
+
+    response._header('access-control-allow-origin', request.headers.origin);
+
+    if (settings.credentials) {
+        response._header('access-control-allow-credentials', 'true');
+    }
+
+    if (settings._exposedHeaders) {
+        response._header('access-control-expose-headers', settings._exposedHeaders, { append: true });
+    }
+};
+
+
+internals.matchOrigin = function (origin, settings) {
+
+    if (settings._origin === true) {
+        return true;
+    }
+
+    if (settings._origin.qualified.indexOf(origin) !== -1) {
+        return true;
+    }
+
+    for (var i = 0, il = settings._origin.wildcards.length; i < il; ++i) {
+        if (origin.match(settings._origin.wildcards[i])) {
+            return true;
+        }
+    }
+
+    return false;
 };
@@ -79,8 +79,6 @@ exports.security = {
 
 exports.cors = {
     origin: ['*'],
-    isOriginExposed: true,                          // Return the list of supported origins if incoming origin does not match
-    matchOrigin: true,                              // Attempt to match incoming origin against allowed values and return narrow response
     maxAge: 86400,                                  // One day
     headers: [
         'Authorization',
@@ -93,6 +91,5 @@ exports.cors = {
         'Server-Authorization'
     ],
     additionalExposedHeaders: [],
-    credentials: false,
-    override: true
+    credentials: false
 };
@@ -76,16 +76,13 @@ internals.routeBase = Joi.object({
         statuses: Joi.array().items(Joi.number().integer().min(200)).min(1)
     }),
     cors: Joi.object({
-        origin: Joi.array(),
-        matchOrigin: Joi.boolean(),
-        isOriginExposed: Joi.boolean(),
+        origin: Joi.array().min(1),
         maxAge: Joi.number(),
         headers: Joi.array(),
         additionalHeaders: Joi.array(),
         exposedHeaders: Joi.array(),
         additionalExposedHeaders: Joi.array(),
-        credentials: Joi.boolean(),
-        override: Joi.boolean().allow('merge')
+        credentials: Joi.boolean()
     })
         .allow(false, true),
     ext: Joi.object({