Actual behavior (the bug)
I get a java.lang.IndexOutOfBoundsException: Index: 1, Size: 1 exception when using the CorsPlugin and pass in header https://exactxcom. This is due to CorsUtils originsMatch method line 139, - see the split: clientOrigin.host.split('.', limit = 2)[1]

Expected behavior
Need to allow for a client host without a full stop.

To Reproduce
Enable Cors plugin, pass in an origin header like https://single see the fireworks.

Additional context

I am not sure if an origin without a dot is valid. The only example of a website without a dot I can think of is https://ai/ (the tld) edit: this does not work for me at least. Strange.

Did you encounter this issue during testing? What is your setup that leads to a browser requesting with a dotless origin?

This is just a testing issue, but I always thought it best to try & avoid 500 errors if possible.

I am not sure if an origin without a dot is valid.

Yes, it is. An IPv6 or a domain name (any string of characters) are valid origins.

The Origin header contains a scheme, host and optionally a port. The host, defined by the URI spec is not limited to TLDs, localhost or any internal DNS names are also valid, as well as IP literals.

Can we leverage the JDK URI class to generalize this?

The good news: The exception only happens when the wildcard origin feature (it.allowHost("*.example.com")) is used. If you do not have this in your config then you are not affected.

I am looking into rewriting the Cors plugin using the JDK's URI class. As a workaround you can avoid the issue by not using the wildcard host syntax, instead enumerating your allowed hosts explicitly.