Class OriginUtil
Normalizes an Origin header value or a full URL (e.g. Referer)
into a canonical "scheme://host[:port]" string. The scheme and host are
lower-cased, the default port for the scheme is stripped (https:443 /
http:80), and any path, query, or fragment is discarded.
Invalid inputs all map to null: null, blank, the literal
string "null" (the value browsers send for opaque origins), values that
contain whitespace or control characters (CR/LF/TAB/etc.), values carrying
multiple space-separated tokens, values missing a scheme or host, and anything
that cannot be parsed. Parsing never throws — failures are caught and reported
as null so callers can treat null uniformly as "unusable".
-
Method Summary
Modifier and TypeMethodDescriptionstatic Stringcanonicalize(String originOrUrl) Canonicalizes anOriginheader value or URL into"scheme://host[:port]".
-
Method Details
-
canonicalize
Canonicalizes anOriginheader value or URL into"scheme://host[:port]".Examples:
https://App.Example.com:443/path?x→https://app.example.com;http://example.com:80→http://example.com.Note: hosts containing an underscore (e.g.
https://my_host) canonicalize tonullbecauseURI.getHost()returnsnullfor them, so such origins fail closed (are not treated as same-origin). Operators with such internal hostnames should settheme.api.csrf.server.originsexplicitly.- Parameters:
originOrUrl- the raw Origin header value or URL (may benull)- Returns:
- the canonical origin, or
nullif the input is missing, malformed, or otherwise unusable
-