fix cors sec code

JoyChou93 · JoyChou93 · commit 4cffffd87ebc · 2018-10-25T23:35:46.000+08:00
diff --git a/README.md b/README.md
@@ -31,6 +31,7 @@
 - [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
 - [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
+- [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
 
diff --git a/src/main/java/org/joychou/controller/CORS.java b/src/main/java/org/joychou/controller/CORS.java
@@ -26,7 +26,7 @@ public class CORS {
      *
      * @param request
      * @param response
-     * @desc: 当origin为空，即直接访问的情况下，response的header中不会出现Access-Control-Allow-Origin
+     * @desc  https://github.com/JoyChou93/java-sec-code/wiki/CORS
      */
     @RequestMapping("/vuls1")
     @ResponseBody
@@ -61,7 +61,16 @@ private static String vuls3(HttpServletResponse response) {
     private static String seccode(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("Origin");
         Security sec = new Security();
-        if (!sec.checkSafeUrl(origin, urlwhitelist)) {
+        Boolean origin_safe = false;
+
+        // 如果origin为空，表示是同域过来的请求或者浏览器直接发起的请求，这种直接放过，没有安全问题。
+        if (origin == null) {
+            origin_safe = true;
+        }else if (sec.checkSafeUrl(origin, urlwhitelist)) {
+            origin_safe = true;
+        }
+
+        if (!origin_safe) {
             return "Origin is not safe.";
         }
         response.setHeader("Access-Control-Allow-Origin", "*");
