Tighten CORS origin validation in AccessControlAllowOriginHeader #150
Description
Summary
Improve the AccessControlAllowOriginHeader class to enforce stricter validation of origin values and handle the CORS literal null value properly.
Background
During review of PR #146, it was identified that the current implementation could benefit from:
- Stricter origin validation: Origins should have scheme and host, but no path, query, fragment, or userInfo
- CORS null literal support: The literal string
"null"is a valid CORS origin value that should be supported
Proposed Solution
Create a special class (possibly an extension type on Uri) to represent CORS origins with proper validation:
- Add constructor assertions to ensure origins are valid (scheme + host present, no path/query/fragment/userInfo)
- Support parsing and encoding the literal
"null"value per CORS specification - Ensure proper round-trip behavior for all valid CORS origin values
Context
- Original discussion: feat: Add operator== and hashCode on all header classes #146 (comment)
- Related to PR: feat: Add operator== and hashCode on all header classes #146
- File:
lib/src/headers/typed/headers/access_control_allow_origin_header.dart
Acceptance Criteria
- Create a dedicated CORS origin type with proper validation
- Support literal
"null"value parsing and encoding - Add comprehensive tests for valid/invalid origins
- Ensure backward compatibility
- Update AccessControlAllowOriginHeader to use the new type