Live: rely on app url for origin check (#35983)

pkg/services/live/live_test.go

@@ -2,6 +2,8 @@ package live
 
 import (
 	"context"
+	"net/http/httptest"
+	"net/url"
 	"testing"
 	"time"
 
@@ -50,3 +52,63 @@ func Test_runConcurrentlyIfNeeded_DeadlineExceeded(t *testing.T) {
 	err := runConcurrentlyIfNeeded(ctx, semaphore, f)
 	require.ErrorIs(t, err, context.DeadlineExceeded)
 }
+
+func TestCheckOrigin(t *testing.T) {
+	testCases := []struct {
+		name    string
+		origin  string
+		appURL  string
+		success bool
+	}{
+		{
+			name:    "empty_origin",
+			origin:  "",
+			appURL:  "http://localhost:3000/",
+			success: true,
+		},
+		{
+			name:    "valid_origin",
+			origin:  "http://localhost:3000",
+			appURL:  "http://localhost:3000/",
+			success: true,
+		},
+		{
+			name:    "unauthorized_origin",
+			origin:  "http://localhost:8000",
+			appURL:  "http://localhost:3000/",
+			success: false,
+		},
+		{
+			name:    "bad_origin",
+			origin:  ":::http://localhost:8000",
+			appURL:  "http://localhost:3000/",
+			success: false,
+		},
+		{
+			name:    "different_scheme",
+			origin:  "http://example.com",
+			appURL:  "https://example.com",
+			success: false,
+		},
+		{
+			name:    "authorized_case_insensitive",
+			origin:  "https://examplE.com",
+			appURL:  "https://example.com",
+			success: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			appURL, err := url.Parse(tc.appURL)
+			require.NoError(t, err)
+			r := httptest.NewRequest("GET", tc.appURL, nil)
+			r.Header.Set("Origin", tc.origin)
+			require.Equal(t, tc.success, checkOrigin(r, appURL),
+				"origin %s, appURL: %s", tc.origin, tc.appURL,
+			)
+		})
+	}
+}