labstack · vishr · Mar 9, 2019 · Mar 4, 2019 · Mar 8, 2019 · Mar 8, 2019
diff --git a/middleware/cors.go b/middleware/cors.go
@@ -102,6 +102,10 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 					allowOrigin = o
 					break
 				}
+				if o != "*" && equalScheme(origin, o) && isSubDomain(origin, o) {
+					allowOrigin = origin
+					break
+				}
 			}
 
 			// Simple request

diff --git a/middleware/cors_test.go b/middleware/cors_test.go
@@ -66,4 +66,20 @@ func TestCORS(t *testing.T) {
 	assert.NotEmpty(t, rec.Header().Get(echo.HeaderAccessControlAllowMethods))
 	assert.Equal(t, "true", rec.Header().Get(echo.HeaderAccessControlAllowCredentials))
 	assert.Equal(t, "3600", rec.Header().Get(echo.HeaderAccessControlMaxAge))
+
+	// Preflight request with `AllowOrigins` which allow all subdomains with *
+	req = httptest.NewRequest(http.MethodOptions, "/", nil)
+	rec = httptest.NewRecorder()
+	c = e.NewContext(req, rec)
+	req.Header.Set(echo.HeaderOrigin, "http://aaa.example.com")
+	cors = CORSWithConfig(CORSConfig{
+		AllowOrigins:     []string{"http://*.example.com"},
+	})
+	h = cors(echo.NotFoundHandler)
+	h(c)
+	assert.Equal(t, "http://aaa.example.com", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
+
+	req.Header.Set(echo.HeaderOrigin, "http://bbb.example.com")
+	h(c)
+	assert.Equal(t, "http://bbb.example.com", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
 }
diff --git a/middleware/util.go b/middleware/util.go
@@ -0,0 +1,51 @@
+package middleware
+
+import (
+	"strings"
+)
+
+func equalScheme(domain, pattern string) bool {
+	didx := strings.Index(domain, ":")
+	pidx := strings.Index(pattern, ":")
+	return didx != -1 && pidx != -1 && domain[:didx] == pattern[:pidx]
+}
+
+// isSubDomain compares authority with wildcard
+func isSubDomain(domain, pattern string) bool {
+	didx := strings.Index(domain, "://")
+	pidx := strings.Index(pattern, "://")
+	if didx == -1 || pidx == -1 {
+		return false
+	}
+	domAuth := domain[didx+3:]
+	// to avoid long loop by invalid long domain
+	if len(domAuth) > 253 {
+		return false
+	}
+	patAuth := pattern[pidx+3:]
+
+	domComp := strings.Split(domAuth, ".")
+	patComp := strings.Split(patAuth, ".")
+	for i := len(domComp)/2 - 1; i >= 0; i-- {
+		opp := len(domComp) - 1 - i
+		domComp[i], domComp[opp] = domComp[opp], domComp[i]
+	}
+	for i := len(patComp)/2 - 1; i >= 0; i-- {
+		opp := len(patComp) - 1 - i
+		patComp[i], patComp[opp] = patComp[opp], patComp[i]
+	}
+
+	for i, v := range domComp {
+		if len(patComp) <= i {
+			return false
+		}
+		p := patComp[i]
+		if p == "*" {
+			return true
+		}
+		if p != v {
+			return false
+		}
+	}
+	return false
+}
diff --git a/middleware/util_test.go b/middleware/util_test.go
@@ -0,0 +1,95 @@
+package middleware
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_equalScheme(t *testing.T) {
+	tests := []struct {
+		domain, pattern string
+		expected        bool
+	}{
+		{
+			domain:   "http://example.com",
+			pattern:  "http://example.com",
+			expected: true,
+		},
+		{
+			domain:   "https://example.com",
+			pattern:  "https://example.com",
+			expected: true,
+		},
+		{
+			domain:   "http://example.com",
+			pattern:  "https://example.com",
+			expected: false,
+		},
+		{
+			domain:   "https://example.com",
+			pattern:  "http://example.com",
+			expected: false,
+		},
+	}
+
+	for _, v := range tests {
+		assert.Equal(t, v.expected, equalScheme(v.domain, v.pattern))
+	}
+}
+
+func Test_isSubDomain(t *testing.T) {
+	tests := []struct {
+		domain, pattern string
+		expected        bool
+	}{
+		{
+			domain:   "http://aaa.example.com",
+			pattern:  "http://*.example.com",
+			expected: true,
+		},
+		{
+			domain:   "http://bbb.aaa.example.com",
+			pattern:  "http://*.example.com",
+			expected: true,
+		},
+		{
+			domain:   "http://bbb.aaa.example.com",
+			pattern:  "http://*.aaa.example.com",
+			expected: true,
+		},
+		{
+			domain:   "http://aaa.example.com:8080",
+			pattern:  "http://*.example.com:8080",
+			expected: true,
+		},
+
+		{
+			domain:   "http://fuga.hoge.com",
+			pattern:  "http://*.example.com",
+			expected: false,
+		},
+		{
+			domain:   "http://ccc.bbb.example.com",
+			pattern:  "http://*.aaa.example.com",
+			expected: false,
+		},
+		{
+			domain: `http://1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890\
+      .1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890\
+      .1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890\
+      .1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.example.com`,
+			pattern:  "http://*.example.com",
+			expected: false,
+		},
+		{
+			domain:   "http://ccc.bbb.example.com",
+			pattern:  "http://example.com",
+			expected: false,
+		},
+	}
+
+	for _, v := range tests {
+		assert.Equal(t, v.expected, isSubDomain(v.domain, v.pattern))
+	}
+}