[4.x] CORS incorrectly disregards whether the incoming request is secure or not in deciding whether it's a CORS request

[tjquinno]

Environment Details

• Helidon Version: 4.x
• Helidon SE or Helidon MP
• JDK version:
• OS:
• Docker version (if applicable):

---

Problem Description

As explained here https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS (near the top):

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.

(emphasis added)

The incoming request determines the server's origin, including the scheme.

The Helidon CORS processing does not consider whether the request is secure or not (that is, whether its scheme is http or https) in deciding whether the origin conveyed in the request's headers is the same as the server's origin.

Steps to reproduce

Use the examples/cors example.

1. Edit src/main/resources/logging.properties to contain these lines (uncommented):

   io.helidon.webserver.cors.level=FINER
   io.helidon.cors.level=FINER

2. mvn clean package
3. java -jar target/helidon-examples-cors.jar

4. curl -i -X OPTIONS \
       -H "Access-Control-Request-Method: PUT" \
       -H "Origin: https://here.com" \
       -H "Host: here.com" \
       http://localhost:8080/greet/greeting`

The response is 404, because CORS incorrectly concluded the origin (https in the Origin header) and host (http as derived from the request in the code) shared the same location because it does not consider the scheme of the server's origin.

The logging output from the server contains this, also reflecting the error:

is not cross-host: [header ORIGIN 'https://here.com' matches header HOST 'here.com']

which is true as far as it goes, but the CORS decision-making should also consider the host and origin schemes which it does not.