diff --git a/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java b/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java index ba23f7859ae..032c0de7ffd 100644 --- a/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java +++ b/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java @@ -275,14 +275,16 @@ public class CorsConfiguration { case ']' -> withinPortRange = false; case ',' -> { if (!withinPortRange) { - valueConsumer.accept(rawValue.substring(start, current).trim()); + String originValue = rawValue.substring(start, current).trim(); + valueConsumer.accept(originValue); start = current + 1; } } } } if (start < rawValue.length()) { - valueConsumer.accept(rawValue.substring(start)); + String originValue = rawValue.substring(start).trim(); + valueConsumer.accept(originValue); } } diff --git a/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java b/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java index 0dfdee1ba0b..092781475f9 100644 --- a/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java +++ b/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java @@ -305,6 +305,11 @@ class CorsConfigurationTests { assertThat(config.checkOrigin("https://a1.com")).isEqualTo("https://a1.com"); assertThat(config.checkOrigin("https://a2.com/")).isEqualTo("https://a2.com/"); + // comma-delimited origins list with space + config.setAllowedOrigins(Collections.singletonList("https://a1.com, https://a2.com")); + assertThat(config.checkOrigin("https://a1.com")).isEqualTo("https://a1.com"); + assertThat(config.checkOrigin("https://a2.com/")).isEqualTo("https://a2.com/"); + // specific origin matches Origin header with or without trailing "/" config.setAllowedOrigins(Collections.singletonList("https://domain.com")); assertThat(config.checkOrigin("https://domain.com")).isEqualTo("https://domain.com");