Fix bad origin check.

runtime/bin/vmservice/server.dart

 // Copyright (c) 2013, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 part of vmservice_io;
 
 class WebSocketClient extends Client {
   static const int PARSE_ERROR_CODE = 4000;
   static const int BINARY_MESSAGE_ERROR_CODE = 4001;
   static const int NOT_MAP_ERROR_CODE = 4002;
@@ skipping 61 matching lines @@
     map['socket'] = '$socket';
     return map;
   }
 }
 
 
 class HttpRequestClient extends Client {
   static ContentType jsonContentType =
       new ContentType("application", "json", charset: "utf-8");
   final HttpRequest request;
-  final List<String> _allowedOrigins;
 
-  HttpRequestClient(this.request, VMService service, this._allowedOrigins)
+  HttpRequestClient(this.request, VMService service)
       : super(service, sendEvents:false);
 
   disconnect() {
     request.response.close();
     close();
   }
 
   void post(dynamic result) {
     if (result == null) {
       close();
       return;
     }
     HttpResponse response = request.response;
+    // We closed the connection for bad origins earlier.
+    response.headers.add('Access-Control-Allow-Origin', '*');
     response.headers.contentType = jsonContentType;
-    final origins = request.headers['Origin'];
-    if ((origins != null) && (origins.isNotEmpty)) {
-      final uri = Uri.parse(origins.first);
-      final noPortOrigin = new Uri(host: uri.host, scheme: uri.scheme).origin;
-      if (_allowedOrigins.contains(noPortOrigin)) {
-        response.headers.add('Access-Control-Allow-Origin', uri.origin);
-      }
-    }
     if (result is String) {
       response.write(result);
     } else {
       assert(result is List);
       Uint8List cstring = result[0];  // Already in UTF-8.
       response.add(cstring);
     }
     response.close();
     close();
   }
 
   dynamic toJson() {
     Map map = super.toJson();
     map['type'] = 'HttpRequestClient';
     map['request'] = '$request';
     return map;
   }
 }
 
 class Server {
   static const WEBSOCKET_PATH = '/ws';
   static const ROOT_REDIRECT_PATH = '/index.html';
 
   final VMService _service;
   final String _ip;
   final int _port;
   final bool _originCheckDisabled;
-  final List<String> _allowedOrigins = <String>[];
   HttpServer _server;
   bool get running => _server != null;
   bool _displayMessages = false;
 
   Server(this._service, this._ip, this._port, this._originCheckDisabled) {
     _displayMessages = (_ip != '127.0.0.1' || _port != 8181);
   }
 
-  void _addOrigin(String host, String port) {
-    if (port == null) {
-      String origin = 'http://$host';
-      _allowedOrigins.add(origin);
-    } else {
-      String origin = 'http://$host:$port';
-      _allowedOrigins.add(origin);
+  bool _isAllowedOrigin(String origin) {
+    Uri uri;
+    try {
+      uri = Uri.parse(origin);
+    } catch (_) {
+      return false;
     }
-  }
 
-  bool _isAllowedOrigin(String origin) {
-    for (String allowedOrigin in _allowedOrigins) {
-      if (origin.startsWith(allowedOrigin)) {
-        return true;
-      }
+    // Explicitly add localhost and 127.0.0.1 on any port (necessary for
+    // adb port forwarding).
+    if ((uri.host == 'localhost') ||
+        (uri.host == '127.0.0.1')) {
+      return true;
     }
+
+    if ((uri.port == _server.port) &&
+        ((uri.host == _server.address.address) ||
+         (uri.host == _server.address.host))) {
+      return true;
+    }
+
     return false;
   }
 
   bool _originCheck(HttpRequest request) {
     if (_originCheckDisabled) {
       // Always allow.
       return true;
     }
     // First check the web-socket specific origin.
     List<String> origins = request.headers["Sec-WebSocket-Origin"];
@@ skipping 72 matching lines @@
     if (asset != null) {
       // Serving up a static asset (e.g. .css, .html, .png).
       request.response.headers.contentType =
           ContentType.parse(asset.mimeType);
       request.response.add(asset.data);
       request.response.close();
       return;
     }
     // HTTP based service request.
     try {
-      var client = new HttpRequestClient(request, _service, _allowedOrigins);
+      var client = new HttpRequestClient(request, _service);
       var message = new Message.fromUri(client, request.uri);
       client.onMessage(null, message);
     } catch (e) {
       print('Unexpected error processing HTTP request uri: '
             '${request.uri}\n$e\n');
       rethrow;
     }
   }
 
   Future startup() {
     if (_server != null) {
       // Already running.
       return new Future.value(this);
     }
 
-    // Clear allowed origins.
-    _allowedOrigins.clear();
-
     var address = new InternetAddress(_ip);
     // Startup HTTP server.
     return HttpServer.bind(address, _port).then((s) {
       _server = s;
       _server.listen(_requestHandler, cancelOnError: true);
-      var ip = _server.address.address.toString();
-      var port = _server.port.toString();
-      // Add the numeric ip and host name to our allowed origins.
-      _addOrigin(ip, port);
-      _addOrigin(_server.address.host.toString(), port);
-      // Explicitly add localhost and 127.0.0.1 on any port (necessary for
-      // adb port forwarding).
-      _addOrigin('127.0.0.1', null);
-      _addOrigin('localhost', null);
+      var ip = _server.address.address;
+      var port = _server.port;
       if (_displayMessages) {
         print('Observatory listening on http://$ip:$port');
       }
       // Server is up and running.
       _notifyServerState(ip, _server.port);
       onServerAddressChange('http://$ip:$port');
       return this;
     }).catchError((e, st) {
       print('Could not start Observatory HTTP server:\n$e\n$st\n');
       _notifyServerState("", 0);
@@ skipping 35 matching lines @@
       _notifyServerState("", 0);
       onServerAddressChange(null);
       return this;
     });
   }
 
 }
 
 void _notifyServerState(String ip, int port)
     native "VMServiceIO_NotifyServerState";