HeaderAndQueryParamsRegexMatch = "{.spec.http[%d].match[%d].%s.%s.regex}"

	// Path for regex match of allowOrigins.
	// Required parameters: http index, allowOrigins index.
	AllowOriginsRegexMatch = "{.spec.http[%d].corsPolicy.allowOrigins[%d].regex}"

	// Path for workload selector.
	// Required parameters: selector label.
	WorkloadSelector = "{.spec.workloadSelector.labels.%s}"

metadata:
  name: cors
  namespace: testns
spec:
  hosts:
    - cors.test.istio.io
  http:
    - route:
      - destination:
          host: cors.test.istio.io
      corsPolicy:
        allowOrigins:
          - exact: http://foo.example
        allowMethods:
          - POST
          - GET
          - OPTIONS
        allowHeaders:
          - content-type
        exposeHeaders:

"queryParams"
"ignoreUriCase"
"withoutHeaders"
"sourceNamespace"
"destination"
"destinationSubnets"
"sniHosts"
"redirectCode"
"retryRemoteLocalities"
"retryOn"
"perTryTimeout"
"attempts"
"allowOrigins"
"allowMethods"
"allowHeaders"
"exposeHeaders"
"maxAge"
"allowCredentials"
"abort"
"set"
"add"
"remove"
"fixedDelay"
"percentage"
"percent"
"httpStatus"
"address"

	"{.spec.http[0].match[0].test.regex}":                           1,
	"{.spec.http[0].match[0].test.test.regex}":                      1,
	"{.spec.http[0].corsPolicy.allowOrigins[0].regex}":              1,
	"{.spec.workloadSelector.labels.test}":                          1,
	"{.spec.ports[0].port}":                                         1,

	node := &model.Proxy{
		IstioVersion: &model.IstioVersion{
			Major: 1,
			Minor: 23,
			Patch: 0,
		},
	}
	corsPolicy := &networking.CorsPolicy{
		AllowOrigins: []*networking.StringMatch{
			{MatchType: &networking.StringMatch_Exact{Exact: "exact"}},
			{MatchType: &networking.StringMatch_Prefix{Prefix: "prefix"}},
			{MatchType: &networking.StringMatch_Regex{Regex: "regex"}},

		out.ForwardNotMatchingPreflights = forwardNotMatchingPreflights(in)
	}

	// nolint: staticcheck
	if in.AllowOrigins != nil {
		out.AllowOriginStringMatch = util.ConvertToEnvoyMatches(in.AllowOrigins)
	} else if in.AllowOrigin != nil {
		out.AllowOriginStringMatch = util.StringToExactMatch(in.AllowOrigin)
	}

	out.FilterEnabled = &core.RuntimeFractionalPercent{
		DefaultValue: &xdstype.FractionalPercent{

			AllowHeaders:  []string{"header1", "header2"},
			ExposeHeaders: []string{"header3"},
			MaxAge:        &durationpb.Duration{Seconds: 2, Nanos: 42},
		}, valid: false},
		{name: "empty matchType AllowOrigins", in: &networking.CorsPolicy{
			AllowOrigins: []*networking.StringMatch{
				{MatchType: &networking.StringMatch_Exact{Exact: ""}},
				{MatchType: &networking.StringMatch_Prefix{Prefix: ""}},

	}
	return
}

func validateCORSPolicy(policy *networking.CorsPolicy) (errs error) {
	if policy == nil {
		return
	}

	for _, origin := range policy.AllowOrigins {
		errs = appendErrors(errs, validateAllowOrigins(origin))
	}

	for _, method := range policy.AllowMethods {
		errs = appendErrors(errs, validateHTTPMethod(method))
	}

                          items:
                            type: string
                          type: array
                        allowOrigin:
                          items:
                            type: string
                          type: array
                        allowOrigins:
                          description: String patterns that match allowed origins.
                          items:

                          items:
                            type: string
                          type: array
                        allowOrigin:
                          items:
                            type: string
                          type: array
                        allowOrigins:
                          description: String patterns that match allowed origins.
                          items: