feat(cors): add an option to skip return ACAO when no origin in request

changelog/unreleased/kong/feat-cors-skip-return-acao-when-no-origin-in-request.yml

@@ -0,0 +1,3 @@
+message: "**CORS**: add an option to skip return ACAO when request don't have Origin Header"
+type: feature
+scope: Plugin

kong/clustering/compat/removed_fields.lua

@@ -230,6 +230,9 @@ return {
   },
   -- Any dataplane older than 3.10.0
   [3010000000] = {
+    cors = {
+      "allow_origin_absent",
+    },
     session = {
       "hash_subject",
       "store_metadata",

kong/plugins/cors/handler.lua

@@ -247,6 +247,11 @@ function CorsHandler:header_filter(conf)
     return
   end
 
+  local req_origin = kong.request.get_header("origin")
+  if not req_origin and not conf.allow_origin_absent then
+    return
+  end
+
   local allow_all = configure_origin(conf, true)
   configure_credentials(conf, allow_all, true)
 

kong/plugins/cors/schema.lua

@@ -48,6 +48,7 @@ return {
           { credentials = { description = "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", type = "boolean", required = true, default = false }, },
           { private_network = { description = "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", type = "boolean", required = true, default = false }, },
           { preflight_continue = { description = "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", type = "boolean", required = true, default = false }, },
+          { allow_origin_absent = { description = "A boolean value that skip cors response headers when origin header of request is empty", type = "boolean", required = true, default = true }, },
     }, }, },
   },
 }

spec/02-integration/09-hybrid_mode/09-config-compat_spec.lua

@@ -201,36 +201,50 @@ describe("CP/DP config compat transformations #" .. strategy, function()
     end)
 
     describe("compatibility test for cors plugin", function()
-      it("removes `config.private_network` before sending them to older(less than 3.5.0.0) DP nodes", function()
+      it("removes config.options before sending them to older DP nodes", function()
         local cors = admin.plugins:insert {
           name = "cors",
           enabled = true,
           config = {
+            -- [[ new fields 3.10.0
+            allow_origin_absent = true,
+            -- ]]
             -- [[ new fields 3.5.0
             private_network = false
             -- ]]
           }
         }
 
-        assert.not_nil(cors.config.private_network)
+        assert.not_nil(cors.config.allow_origin_absent)
         local expected_cors = cycle_aware_deep_copy(cors)
+        do_assert(uuid(), "3.10.0", expected_cors)
+        expected_cors.config.allow_origin_absent = nil
+
+        assert.not_nil(cors.config.private_network)
+        expected_cors = cycle_aware_deep_copy(expected_cors)
         expected_cors.config.private_network = nil
         do_assert(uuid(), "3.4.0", expected_cors)
 
         -- cleanup
         admin.plugins:remove({ id = cors.id })
       end)
 
-      it("does not remove `config.private_network` from DP nodes that are already compatible", function()
+      it("does not remove config.options from DP nodes that are already compatible", function()
         local cors = admin.plugins:insert {
           name = "cors",
           enabled = true,
           config = {
+            -- [[ new fields 3.10.0
+            allow_origin_absent = true,
+            -- ]]
             -- [[ new fields 3.5.0
             private_network = false
             -- ]]
           }
         }
+        do_assert(uuid(), "3.10.0", cors)
+        cors.config.allow_origin_absent = nil
+
         do_assert(uuid(), "3.5.0", cors)
 
         -- cleanup

spec/03-plugins/13-cors/01-access_spec.lua

@@ -291,6 +291,14 @@ for _, strategy in helpers.each_strategy() do
         hosts = { "cors14.test" },
       })
 
+      local route15 = bp.routes:insert({
+        hosts = { "cors15.test" },
+      })
+
+      local route16 = bp.routes:insert({
+        hosts = { "cors16.test" },
+      })
+
       local mock_upstream = bp.services:insert {
         host = helpers.mock_upstream_hostname,
         port = helpers.mock_upstream_port,
@@ -464,6 +472,28 @@ for _, strategy in helpers.each_strategy() do
         }
       }
 
+      bp.plugins:insert {
+        name = "cors",
+        route = { id = route15.id },
+        config = {
+          allow_origin_absent = false,
+          origins = { "foo.bar" },
+          exposed_headers    = { "x-auth-token" },
+          credentials     = true
+        }
+      }
+
+      bp.plugins:insert {
+        name = "cors",
+        route = { id = route16.id },
+        config = {
+          allow_origin_absent = true,
+          origins = { "foo.bar" },
+          exposed_headers    = { "x-auth-token" },
+          credentials     = true
+        }
+      }
+
       bp.plugins:insert {
         name = "cors",
         route = { id = route_timeout.id },
@@ -1130,6 +1160,32 @@ for _, strategy in helpers.each_strategy() do
         assert.equal("true", res.headers["Access-Control-Allow-Credentials"])
         assert.equal("disallowed-domain.test", json.headers["origin"])
       end)
+
+      it("when disable allow_origin_absent, no ACAO", function()
+        local res = assert(proxy_client:send {
+          method  = "GET",
+          headers = {
+            ["Host"]   = "cors15.test",
+          }
+        })
+        assert.res_status(200, res)
+        assert.is_nil(res.headers["Access-Control-Allow-Origin"])
+        assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
+        assert.is_nil(res.headers["Access-Control-Expose-Headers"])
+      end)
+
+      it("when enable allow_origin_absent, ACAO is returned", function()
+        local res = assert(proxy_client:send {
+          method  = "GET",
+          headers = {
+            ["Host"]   = "cors16.test",
+          }
+        })
+        assert.res_status(200, res)
+        assert.equal("foo.bar", res.headers["Access-Control-Allow-Origin"] )
+        assert.equal("true", res.headers["Access-Control-Allow-Credentials"])
+        assert.equal("x-auth-token", res.headers["Access-Control-Expose-Headers"])
+      end)
     end)
   end)
 end