dvershinin · dvershinin · Oct 3, 2025 · Oct 3, 2025 · Oct 3, 2025 · Oct 3, 2025
diff --git a/docs/en/plugins/origins.md b/docs/en/plugins/origins.md
@@ -7,8 +7,8 @@ The most common errors with this configuration are:
   - regex errors;
   - allow third-party origins.
 
- > Notice: by default, Gixy doesn't check regexes for third-party origins matching.
- > You can pass a list of trusted domains by using the option `--origins-domains example.com,foo.bar`
+> Notice: by default, Gixy doesn't check regexes for third-party origins matching.
+> You can pass a list of trusted domains by using the option `--origins-domains example.com,foo.bar`. When enabled, Gixy recognizes origins by registrable domain (via Public Suffix List) and will flag regexes that allow off-domain values.
 
 ## How can I find it?
 "Eazy"-breezy:
@@ -30,4 +30,14 @@ TODO(buglloc): Regex Ninja?
 
   - fix your regex or toss it away :)
   - if you use regex validation for `Referer` request header, then, possibly (not 100%), you could use [ngx_http_referer_module](http://nginx.org/en/docs/http/ngx_http_referer_module.htmll);
-  - sometimes it is much better to use the `map` directive without any regex at all.
+  - often it's better to avoid regex entirely for `Origin` and use a `map` allowlist:
+
+```nginx
+map $http_origin $allow_origin {
+    ~^https://([A-Za-z0-9\-]+\.)?example\.com(?::[0-9]{1,5})?$ $http_origin;
+    default "";
+}
+add_header Access-Control-Allow-Origin $allow_origin always;
+```
+
+Gixy now understands this pattern and will analyze regex map keys feeding `Access-Control-Allow-Origin`.
diff --git a/gixy/core/builtin_variables.py b/gixy/core/builtin_variables.py
@@ -293,19 +293,30 @@ def _parse_dropin_file(file_path):
     where value follows _normalize_value_token rules.
     """
     result = {}
-    assign_re = re.compile(r"^\s*([a-zA-Z_][a-zA-Z0-9_]*)\s*(.*)$")
     try:
         with open(file_path, "r") as fh:
             for raw_line in fh:
                 line = raw_line.strip()
                 if not line or line.startswith("#") or line.startswith(";"):
                     continue
 
-                m = assign_re.match(line)
-                if not m:
+                # Fast-path parse: find first whitespace after a valid identifier
+                i = 0
+                n = len(line)
+                # identifier start
+                c0 = line[0]
+                if not (c0.isalpha() or c0 == "_"):
                     LOG.info("Skip malformed custom variable line in %s: %r", file_path, raw_line.rstrip("\n"))
                     continue
-                name, value_token = m.group(1), m.group(2).strip()
+                i = 1
+                while i < n and (line[i].isalnum() or line[i] == "_"):
+                    i += 1
+                name = line[:i]
+                # skip spaces between name and value
+                j = i
+                while j < n and line[j].isspace():
+                    j += 1
+                value_token = line[j:]
                 # Allow optional separator characters between name and value
                 # If the line used name = value or name: value, drop the first char
                 if value_token[:1] in ("=", ":"):