Closed brettt89 closed 6 years ago
Thanks for bringing this up! I didn't have a wildcard domain to try this out on when I implemented this feature, so I'm not surprised I missed something.
You're right that the protocol needs to be taken into account, but simply removing ^
would be too permissive. A wildcard domain should only match one level of subdomains. For example, given *.example.com
, foo.example.com
should match, but bar.foo.example.com
should not.
I think the way this should work is to require that the protocol be specified before the wildcard domain.
These should be valid
http://*.example.com
https://*.example.com
These should not be valid
http://*foo.example.com
http://foo*.example.com
http://foo.*.example.com
The preg_replace
regex will need a lookahead and a lookbehind so that it only replaces the *
if it is preceded by ://
and followed by .
.
After looking into this a bit more, it seems that the code does work as is. So, I'm not sure what problem you are encountering.
I do still like the idea of specifying the protocol though. I think it would have to be optional in order to not break backward compatibility.
In your preg_replace
for wildcards currently uses the regex "/^\\\\\*/"
. The first character ^
matches the start of a string, so it expects the domain to start with a *
rather than http://
or https://
.
E.g.
These are being parsed as expected
http://test.example.com
https://test.example.com
*.example.com
These are not being parsed as expected
http://*.example.com
https://*.example.com
This is because you are calling preg_quote
on the domain which would convert https://*.example.com
into https\://\*\.example\.com
.
The unescaped regex being used is '^\\\*'
which literally is looking for a string starting with \*
. This would work if you were stripping the protocol off the domain to begin with, however I think its a good idea to have protocol based wildcards as most CORS are restricted to https only.
OK, I think we are getting on the same page now. When I implemented this feature, I intended it to be a wildcard domain only. It was not intended to allow you to specify the protocol. However, I'm up for adding that functionality. I'm not sure why you say "most CORS are restricted to https only", but it certainly is an important use case.
I have two requirements for adding this functionality.
*.example.com
should still work and match on any protocol.^
.I added this feature. Thanks for bringing up the issue!
This regex only allows for wildcards without protocol (e.g.
*.website.com
).The
^
regex should be remove to allow users to provide protocol for wildcard domains.E.g.
return "/^" . preg_replace("/\\\\\*/", "[^.]+", preg_quote($domain, "/")) . "$/";