Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bounded wildcard support?

See original GitHub issue

This library uses HttpOriginRange from akka-http to perform its matching.

Unfortunately, there is no way to extend HttpOriginRange or HttpOrigin in order to support more sophisticated/alternate matching.

This means that whilst it’s possible to match all hosts (HttpOriginRange.*) or a set of fixed hosts (HttpOriginRange.Default(...)), it’s not possible for CORS purposes to match for example *.somedomain.com.

I would open this as an issue upstream, but it’s unclear to me whether this is a request that’s applicable to other uses of their HttpOriginRange or is specific to akka-http-cors’s use of it.

So in summary:

Would it be possible here to add support for matching on bounded wildcards.
Should this issue go upstream to akka-http instead?

Issue Analytics

State:
Created 6 years ago
Reactions:1
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

lomigmegardcommented, Jan 21, 2019

I will have a look again at this then, I think I remember I had an issue implementing it.

1reaction

lomigmegardcommented, Oct 22, 2017

Hey, I knew one day someone would raise this issue 😉

Modifying HttpOriginRange or HttpOrigin is impracticable for two reasons:

A HttpOrigin is strictly defined in RFC-6454 and it doesn’t allow some matching segments. A HttpOrigin is used in many places and we can’t modify his semantic for CORS.
The range is used directly in the Access-Control-Allow-Origin header and the W3C defines its content strictly.

I looked at other CORS implementations to see how they deal with this:

The CORS filter from Dzhuvinov Software adds a new setting allowSubdomains.

If true the CORS filter will allow requests from any origin which is a subdomain origin of the allowed origins. A subdomain is matched by comparing its scheme and suffix (host name / IP address and optional port number).
The CORS filter from eBay doesn’t allow it.
[…] please add more

Adding a new setting allowSubdomains is possible, but this mechanism is not defined by the W3C. This setting would only change the matching logic, not the content of the Access-Control-Allow-Origin header.

Thoughts?

Top Results From Across the Web

Upper Bounded Wildcards - The Java™ Tutorials

To declare an upper-bounded wildcard, use the wildcard character ('?'), followed by the extends keyword, followed by its upper bound. Note that, in...

Item 31: Use bounded wildcards to increase API flexibility

More generally, the wildcard is required to support types that do not implement Comparable (or Comparator) directly but extend a type that does....

Java: bounded wildcards or bounded type parameter?

A wildcard can have only one bound, while a type parameter can have several bounds. A wildcard can have a lower or an...

Wildcards in Java

To declare an upper-bounded wildcard, use the wildcard character ('?'), followed by the extends keyword, followed by its upper bound.

Bounded Generic Types & Wildcards - [OOP & Java #6]

Continuing on the topic of Generics: Bounded generic types <T ... to support polymorphism, we can make use of wildcards to achieve the...