refactor: trusted-origins use *.example.com wildcard only (no regex)

- Match --proxy-domain prior art: exact, *, or *.example.com style - Remove full regex support; simpler to type and read Made-with: Cursor
2026-04-01 19:13:33 +02:00 · 2026-03-12 15:16:27 -04:00 · 2026-03-12 15:16:27 -04:00 · 56b0f921b9
commit 56b0f921b9
parent 4a056b8736
2 changed files with 13 additions and 27 deletions
--- a/src/node/http.ts
+++ b/src/node/http.ts
@ -353,26 +353,18 @@ export function ensureOrigin(req: express.Request, _?: express.Response, next?:

 /**
 * Return true if the origin matches any trusted origin.  Entries are matched
- * as exact strings, the special wildcard `"*"`, or regex literals in the form
- * `/pattern/flags` (e.g. `/^.*\.example\.com$/i`).
+ * as exact strings, the special wildcard `"*"`, or `*.example.com`-style
+ * domain wildcards (same as --proxy-domain).
 */
 export function isTrustedOrigin(origin: string, trustedOrigins: string[]): boolean {
  return trustedOrigins.some((trusted) => {
    if (trusted === "*" || trusted === origin) {
      return true
    }
-    // Regex literal: /pattern/ or /pattern/flags
-    if (trusted.startsWith("/")) {
-      const closingSlash = trusted.lastIndexOf("/")
-      if (closingSlash > 0) {
-        const pattern = trusted.slice(1, closingSlash)
-        const flags = trusted.slice(closingSlash + 1)
-        try {
-          return new RegExp(pattern, flags).test(origin)
-        } catch {
-          return false
-        }
-      }
+    // *.example.com style: match origin if it is the domain or a subdomain
+    if (trusted.startsWith("*.")) {
+      const domain = trusted.slice(2).toLowerCase()
+      return origin === domain || origin.endsWith("." + domain)
    }
    return false
  })
--- a/test/unit/node/http.test.ts
+++ b/test/unit/node/http.test.ts
@ -31,17 +31,11 @@ describe("http", () => {
      expect(http.isTrustedOrigin("localhost:8080", ["*"])).toBe(true)
    })

-    it("should match regex patterns", () => {
-      expect(http.isTrustedOrigin("sub.example.com", ["/\\.example\\.com$/"])).toBe(true)
-      expect(http.isTrustedOrigin("evil.com", ["/\\.example\\.com$/"])).toBe(false)
-    })
-
-    it("should support regex flags", () => {
-      expect(http.isTrustedOrigin("SUB.EXAMPLE.COM", ["/\\.example\\.com$/i"])).toBe(true)
-    })
-
-    it("should return false for invalid regex patterns", () => {
-      expect(http.isTrustedOrigin("example.com", ["/[invalid/"])).toBe(false)
+    it("should match *.example.com wildcard (same style as --proxy-domain)", () => {
+      expect(http.isTrustedOrigin("sub.example.com", ["*.example.com"])).toBe(true)
+      expect(http.isTrustedOrigin("example.com", ["*.example.com"])).toBe(true)
+      expect(http.isTrustedOrigin("evil.com", ["*.example.com"])).toBe(false)
+      expect(http.isTrustedOrigin("example.com.evil.com", ["*.example.com"])).toBe(false)
    })

    it("should return false for an empty trusted origins list", () => {
@ -87,12 +81,12 @@ describe("http", () => {
      {
        origin: "http://sub.example.com",
        host: "other.com",
-        trustedOrigins: ["/\\.example\\.com$/"],
+        trustedOrigins: ["*.example.com"],
      },
      {
        origin: "http://evil.com",
        host: "other.com",
-        trustedOrigins: ["/\\.example\\.com$/"],
+        trustedOrigins: ["*.example.com"],
        expected: "does not match",
      },
      {