Uploaded image for project: 'Camel'
  1. Camel
  2. CAMEL-10913

CORS header Access-Control-Allow-Credentials not managed correctly

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.19.0
    • camel-http-common
    • None
    • Unknown

    Description

      When a browser uses the "withCredentials" flag (not visible in HTTP request headers), it accepts the response only if the "Access-Control-Allow-Credentials" header returned by the server is set to "true".

      That header is not part of Camel standard cors headers, but it can be set in the route. The problem is that when "Access-Control-Allow-Credentials" is set to "true", the "Access-Control-Allow-Origin" header cannot be set to "*", which is our default (https://www.w3.org/TR/cors/ - section 6.1, point 3).

      Setting a value for the "Access-Control-Allow-Origin" header equals to the "Origin" header of the request makes the trick, but this must be set per-route, and CORS must be disabled.

      Eg.

      // do not enable cors
      rest().get("/hello")
        .route()
        .to("direct:handle")
        .setHeader("Access-Control-Allow-Credentials", constant("true"))
        .setHeader("Access-Control-Allow-Origin", header("Origin"));
      

      Otherwise the only option is setting a fixed allowed origin if you know it in advance.

      I wonder if we should add e.g. a ".corsAllowCredentials(boolean)" configuration to handle this situation correctly, or another flag to reflect the origin instead of returning "*".

      Attachments

        Issue Links

          Activity

            People

              nferraro Nicola Ferraro
              nferraro Nicola Ferraro
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: