Hi guys, for the

cors

block can we use

*

in it?

cors:
  allowedOrigins:
  - '*.<http://domain.com|domain.com>'

and if so, would the

<http://my.sub.domain.com|my.sub.domain.com>

be allowed?

Hi, It is possible to use

*

per allowed origin and it matches and allows the

<http://sub.domain.com|sub.domain.com>

. I am not sure about

<http://my.sub.domain.com|my.sub.domain.com>

.

cerbos/cerbos

uses the

rs/cors

package and I’ve checked the source code for it and come up with a little test by copying over some logic;

package cors_test

import (
	"strings"
	"testing"

    "<http://github.com/stretchr/testify/require|github.com/stretchr/testify/require>"
)

func TestCors(t *testing.T) {
	rule := "*.<http://domain.com|domain.com>" // the rule given in cerbos configuration
    // if block from <https://github.com/rs/cors/blob/066574eebbd0f5f1b6cd1154a160cc292ac1835e/cors.go#L153C21-L153C21>
	var wc wildcard
	if i := strings.IndexByte(rule, '*'); i >= 0 {
		wc = wildcard{rule[0:i], rule[i+1:]}
	}

	testCases := []struct {
		domain string
	}{
		{"<http://sub.sub.domain.com|sub.sub.domain.com>"},
		{"<http://sub.domain.com|sub.domain.com>"},
		{"<http://domain.com|domain.com>"},
	}

	for _, testCase := range testCases {
		t.Run(testCase.domain, func(t *testing.T) {
            require.True(t, wc.match(testCase.domain))
		})
	}
}

// wildcard struct from <https://github.com/rs/cors/blob/066574eebbd0f5f1b6cd1154a160cc292ac1835e/utils.go#L9>
type wildcard struct {
	prefix string
	suffix string
}

// wildcard match method from <https://github.com/rs/cors/blob/066574eebbd0f5f1b6cd1154a160cc292ac1835e/utils.go#L14>
func (w wildcard) match(s string) bool {
	return len(s) >= len(w.prefix)+len(w.suffix) && strings.HasPrefix(s, w.prefix) && strings.HasSuffix(s, w.suffix)
}

All of the subdomain cases seem to pass🤞🏻

--- FAIL: TestCors (0.00s)
    --- PASS: TestCors/sub.sub.domain.com (0.00s)
    --- PASS: TestCors/sub.domain.com (0.00s)
    --- FAIL: TestCors/domain.com (0.00s)

thank you!