Class OriginUtil

java.lang.Object
org.codelibs.fess.util.OriginUtil

public final class OriginUtil extends Object
Single source of truth for origin canonicalization used by the v2 CSRF Origin check. Pure, side-effect-free static helper.

Normalizes an Origin header value or a full URL (e.g. Referer) into a canonical "scheme://host[:port]" string. The scheme and host are lower-cased, the default port for the scheme is stripped (https:443 / http:80), and any path, query, or fragment is discarded.

Invalid inputs all map to null: null, blank, the literal string "null" (the value browsers send for opaque origins), values that contain whitespace or control characters (CR/LF/TAB/etc.), values carrying multiple space-separated tokens, values missing a scheme or host, and anything that cannot be parsed. Parsing never throws — failures are caught and reported as null so callers can treat null uniformly as "unusable".

  • Method Details

    • canonicalize

      public static String canonicalize(String originOrUrl)
      Canonicalizes an Origin header value or URL into "scheme://host[:port]".

      Examples: https://App.Example.com:443/path?xhttps://app.example.com; http://example.com:80http://example.com.

      Note: hosts containing an underscore (e.g. https://my_host) canonicalize to null because URI.getHost() returns null for them, so such origins fail closed (are not treated as same-origin). Operators with such internal hostnames should set theme.api.csrf.server.origins explicitly.

      Parameters:
      originOrUrl - the raw Origin header value or URL (may be null)
      Returns:
      the canonical origin, or null if the input is missing, malformed, or otherwise unusable