CorsUtils#isCorsRequest should detect same origin requests with an Origin header

[ArayChou]

Affecting version: spring-web:5.1.3.RELEASE

Hello, org.springframework.web.cors.CorsUtils#isCorsRequest only check whether the request header "Origin" is null.

public static boolean isCorsRequest(HttpServletRequest request) {
	return (request.getHeader(HttpHeaders.ORIGIN) != null);
}

But Chrome/Edge always send the "Origin" header in AJAX request even when it is not CORS request ( the target URL is the same domain ).

It is better to check that whether the "Origin" header is the same as the request URL in addition.

[sdeleuze]

This check is currently done as a second step at WebUtils#isSameOrigin level invoked by DefaultCorsProcessor#processRequest. That said, per RFC 6454 section 7.3, I tend to agree that this check should be invoked by CorsUtils#isCorsRequest for more correct semantics but I would like to avoid any performance regression, and I would like to see if we have possibilities to avoid duplicated CorsUtils#isCorsRequest, so I plan this one for 5.2 along to #22273 unless other team members think otherwise.