From 7039f27038f0ac57aa591dcf0f07e64462fde72f Mon Sep 17 00:00:00 2001
From: "update-envoy[bot]"
 <135279899+update-envoy[bot]@users.noreply.github.com>
Date: Fri, 22 Mar 2024 15:51:16 +0000
Subject: [PATCH] cors: return local reply when preflight origin does not match
 allowed origins (#33051)

CORS: Generate local response for preflights with not matching origin.

Signed-off-by: Christoph Pakulski <christoph@tetrate.io>

Mirrored from https://github.com/envoyproxy/envoy @ 5f58f9ac917e82fdfadb771b8de3bb466d9e53ee
---
 envoy/config/route/v3/route_components.proto     | 6 +++++-
 envoy/extensions/filters/http/cors/v3/cors.proto | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/envoy/config/route/v3/route_components.proto b/envoy/config/route/v3/route_components.proto
index 3e755301..69d3e8a5 100644
--- a/envoy/config/route/v3/route_components.proto
+++ b/envoy/config/route/v3/route_components.proto
@@ -673,7 +673,7 @@ message RouteMatch {
 //   :ref:`CorsPolicy in filter extension <envoy_v3_api_msg_extensions.filters.http.cors.v3.CorsPolicy>`
 //   as as alternative.
 //
-// [#next-free-field: 13]
+// [#next-free-field: 14]
 message CorsPolicy {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.CorsPolicy";
 
@@ -727,6 +727,10 @@ message CorsPolicy {
   //
   // More details refer to https://developer.chrome.com/blog/private-network-access-preflight.
   google.protobuf.BoolValue allow_private_network_access = 12;
+
+  // Specifies if preflight requests not matching the configured allowed origin should be forwarded
+  // to the upstream. Default is true.
+  google.protobuf.BoolValue forward_not_matching_preflights = 13;
 }
 
 // [#next-free-field: 42]
diff --git a/envoy/extensions/filters/http/cors/v3/cors.proto b/envoy/extensions/filters/http/cors/v3/cors.proto
index 7e49dc8e..11ce9101 100644
--- a/envoy/extensions/filters/http/cors/v3/cors.proto
+++ b/envoy/extensions/filters/http/cors/v3/cors.proto
@@ -33,7 +33,7 @@ message Cors {
 
 // Per route configuration for the CORS filter. This configuration should be configured in the ``RouteConfiguration`` as ``typed_per_filter_config`` at some level to
 // make the filter work.
-// [#next-free-field: 10]
+// [#next-free-field: 11]
 message CorsPolicy {
   // Specifies string patterns that match allowed origins. An origin is allowed if any of the
   // string matchers match.
@@ -79,4 +79,8 @@ message CorsPolicy {
   //
   // More details refer to https://developer.chrome.com/blog/private-network-access-preflight.
   google.protobuf.BoolValue allow_private_network_access = 9;
+
+  // Specifies if preflight requests not matching the configured allowed origin should be forwarded
+  // to the upstream. Default is true.
+  google.protobuf.BoolValue forward_not_matching_preflights = 10;
 }