bug: If allow_origins_by_regex is not nil，using other domain is also verified.

[chenjinfeng0505]

Current Behavior

allow_origins： Origins to allow CORS
allow_origins_by_regex： Regex to match with origin for enabling CORS.

As a user, When I set the value of allow_origins_by_regex，the orgins to allow CORS must be in the range and other origin will be failed. But it's not ready.
In code，the default value of allow orgins is ‘*’ and all origins will be passed and allow_origins_by_regex has not effect.

Expected Behavior

In my opinion，allow_origins_by_regex should be considered first. If the allow_origins_by_regex has no value. it can judge using allow_origins.

Error Logs

No response

Steps to Reproduce

set the value of allow_origins_by_regex is '.\.domain.com' and allow_origins is ''. The use of other domain names is also verified.

Environment

• APISIX version (run apisix version):
• Operating system (run uname -a):
• OpenResty / Nginx version (run openresty -V or nginx -V):
• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
• APISIX Dashboard version, if relevant:
• Plugin runner version, for issues related to plugin runners:
• LuaRocks version, for installation issues (run luarocks --version):

[mscb402]

I don't think this is a bug

apisix/apisix/plugins/cors.lua

Lines 298 to 302 in c159f04

	function _M.header_filter(conf, ctx)
	local req_origin = ctx.original_request_origin
	-- Try allow_origins first, if mismatched, try allow_origins_by_regex.
	local allow_origins
	allow_origins = process_with_allow_origins(conf.allow_origins, ctx, req_origin)

[chenjinfeng0505]

I don't think this is a bug

apisix/apisix/plugins/cors.lua

Lines 298 to 302 in c159f04

	function _M.header_filter(conf, ctx)
	local req_origin = ctx.original_request_origin
	-- Try allow_origins first, if mismatched, try allow_origins_by_regex.
	local allow_origins
	allow_origins = process_with_allow_origins(conf.allow_origins, ctx, req_origin)

@mscb402Hi, At present, many companies have many security requirements for cors and setting Access-Control-Allow-Origin to * is not allowed. Only the specified source domain name is allowed to pass.

According to the current plug-in processing logic, If conf.allow_origins is set to * and Access-Control-Allow-Origin will still return * even if allow_origins_by_regex is set to the specified range of domain names. This is not safe.

[mscb402]

I think you can set allow_origins_by_regex and allow_origins together. And manual change allow_origins.

[chenjinfeng0505]

I think you can set allow_origins_by_regex and allow_origins together. And manual change allow_origins.

@mscb402 Hi, many companies only wants to the specified range. So they set allow_origins_by_regex to sspecified range and not set allow_origins. At the time, the default value of allow_origins is * and all origins will be passed. This is not in compliance with safety regulations.

[mscb402]

I think you can set allow_origins_by_regex and allow_origins together. And manual change allow_origins.

@mscb402 Hi, many companies only wants to the specified range. So they set allow_origins_by_regex to sspecified range and not set allow_origins. At the time, the default value of allow_origins is * and all origins will be passed. This is not in compliance with safety regulations.

Sounds good!

[boekkooi-lengoo]

We are having the same problem. We would like to only use allow_origins_by_regex and set allow_origins to be empty or nil but this is not allowed.
However we also have a case where we want to use both allow_origins_by_regex and allow_origins but I can live with just being allowed to set 1 of them.