CORS specification specifies that "an origin is composed of only the scheme, hostname, and port", but WebUtils#isSameOrigin currently only checks hostname and port.
Based on my current understanding, the main way to trigger an incorrect behavior with current implementation is to send a request from http://domain.com to https://domain.com or the other way around. Based on the spec, it should be detected by the browser as a cross origin request but won't be understood as such by our implementation, skipping CORS checks and CORS response header processing, resulting of such HTTP exchange being rejected by the browser due to the lack of CORS response headers.
Note that performing a check on the scheme should be done very carefully in that context because it could have some unexpected side effects given that:
- Unlike the Origin one, the Host header does not contain the scheme information (for example Host: domain.com)
- Chrome and Safari includes the Origin header for some same origin requests, making such change on WebUtils#isSameOrigin risky.