[CXF-5017] CrossOriginResourceSharingFilter FIELD_COMMA_PATTERN mangles firefox headers - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.6
Fix Version/s: 2.5.11, 2.6.9, 2.7.6, 3.0.0-milestone1
Component/s: JAX-RS Security
Labels:
None
Environment:

firefox

Estimated Complexity:
Unknown

Description

When a CORS request header send with a comma delimited list of values without whitespace, the regexp:

{private static final Pattern FIELD_COMMA_PATTERN = Pattern.compile(",\\w*");}

consumes (part of) the next item in the list.

The offending header in my case is (on a HTTP OPTIONS pre-flight check)
Access-Control-Request-Headers: authorization,content-type
which is eventually returned to the browser as:
Access-Control-Allow-Headers: authorization, -type

The result of which is Firefox refusing the cross-domain POST request following this OPTIONS check

i couldn't find a reason why the

{\\w*}

part should be part of a comma splitting regexp, changing the regexp to

{"," , ",\\b*" or ",\\s"}

fixed the problem for me and would seem more logical to me (but i'm not too familiar with the ins and out of CXF)

Attachments

Activity

People

Assignee:: Sergey Beryozkin

Reporter:: Pieter Goddijn

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 15/May/13 11:33

Updated:: 14/Aug/13 15:49

Resolved:: 20/May/13 15:19