🔧 fix: strictly check protocol

Author: SaltyAom

CHANGELOG.md

@@ -1,3 +1,7 @@
+# 1.3.2 - 15 May 2025
+Bug fix:
+- [#65](https://github.com/elysiajs/elysia-cors/issues/65) strictly check origin protocol
+
 # 1.3.1 - 8 May 2025
 Bug fix:
 - strictly check origin not using sub includes

example/index.ts

@@ -4,15 +4,17 @@ import { cors } from '../src/index'
 const app = new Elysia()
 	.use(
 		cors({
-			origin: 'example.com'
+			origin: 'http://example.com'
 		})
 	)
 	.post('/', ({ body }) => body)
 
 app.handle(
 	new Request('http://localhost/awd', {
 		headers: {
-			origin: 'http://notexample.com'
+			origin: 'https://example.com',
+			a: 'b',
+			c: 'd'
 		}
 	})
 )

package.json

@@ -1,6 +1,6 @@
 {
     "name": "@elysiajs/cors",
-    "version": "1.3.1",
+    "version": "1.3.2",
     "description": "Plugin for Elysia that for Cross Origin Requests (CORs)",
     "author": {
         "name": "saltyAom",

src/index.ts

@@ -168,44 +168,21 @@ const isBun = typeof new Headers()?.toJSON === 'function'
  * Attempts to process headers based on request headers.
  */
 const processHeaders = (headers: Headers) => {
-	if (isBun) return Object.keys(headers.toJSON()).join(', ')
+	// if (isBun) return Object.keys(headers.toJSON()).join(', ')
 
 	let keys = ''
 
+	let i = 0
 	headers.forEach((_, key) => {
-		keys += key + ', '
-	})
+		if (i) keys = keys + ', ' + key
+		else keys = key
 
-	if (keys) keys = keys.slice(0, -1)
+		i++
+	})
 
 	return keys
 }
 
-const processOrigin = (
-	origin: Origin,
-	request: Request,
-	from: string
-): boolean => {
-	if (Array.isArray(origin))
-		return origin.some((o) => processOrigin(o, request, from))
-
-	switch (typeof origin) {
-		case 'string':
-			const fromProtocol = from.indexOf('://')
-			if (fromProtocol !== -1) from = from.slice(fromProtocol + 3)
-
-			return origin === from
-
-		case 'function':
-			return origin(request) === true
-
-		case 'object':
-			if (origin instanceof RegExp) return origin.test(from)
-	}
-
-	return false
-}
-
 export const cors = (config?: CORSConfig) => {
 	let {
 		aot = true,
@@ -238,6 +215,38 @@ export const cors = (config?: CORSConfig) => {
 
 	const anyOrigin = origins?.some((o) => o === '*')
 
+	const originMap = <Record<string, true>>{}
+	if (origins)
+		for (const origin of origins)
+			if (typeof origin === 'string') originMap[origin] = true
+
+	const processOrigin = (
+		origin: Origin,
+		request: Request,
+		from: string
+	): boolean => {
+		if (Array.isArray(origin))
+			return origin.some((o) => processOrigin(o, request, from))
+
+		switch (typeof origin) {
+			case 'string':
+				if (from in originMap) return true
+
+				const fromProtocol = from.indexOf('://')
+				if (fromProtocol !== -1) from = from.slice(fromProtocol + 3)
+
+				return origin === from
+
+			case 'function':
+				return origin(request) === true
+
+			case 'object':
+				if (origin instanceof RegExp) return origin.test(from)
+		}
+
+		return false
+	}
+
 	const handleOrigin = (set: Context['set'], request: Request) => {
 		// origin === `true` means any origin
 		if (origin === true) {
@@ -269,9 +278,6 @@ export const cors = (config?: CORSConfig) => {
 
 					return
 				}
-
-				// value can be string (truthy value) but not `true`
-				if (value) headers.push(value)
 			}
 		}
 
@@ -339,7 +345,6 @@ export const cors = (config?: CORSConfig) => {
 		handleMethod(set, request.method)
 
 		if (allowedHeaders === true || exposeHeaders === true) {
-			// @ts-ignore
 			const headers = processHeaders(request.headers)
 
 			if (allowedHeaders === true)

test/origin.test.ts

@@ -144,4 +144,34 @@ describe('Origin', () => {
 
 		expect(response.headers.has('access-control-allow-origin')).toBeFalse()
 	})
+
+	it('strictly check protocol', async () => {
+		const app = new Elysia()
+			.use(
+				cors({
+					origin: 'http://example.com'
+				})
+			)
+			.post('/', ({ body }) => body)
+
+		const pass = await app.handle(
+			new Request('http://localhost/awd', {
+				headers: {
+					origin: 'http://example.com'
+				}
+			})
+		)
+
+		expect(pass.headers.has('access-control-allow-origin')).toBeTrue()
+
+		const fail = await app.handle(
+			new Request('http://localhost/awd', {
+				headers: {
+					origin: 'https://example.com'
+				}
+			})
+		)
+
+		expect(fail.headers.has('access-control-allow-origin')).toBeFalse()
+	})
 })