Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6444

CrossOriginResourceSharingFilter.java should not set Origin=* when Credentials=true

          Details

          • Type: Bug
          • Status: Closed
          • Priority: Major
          • Resolution: Fixed
          • Affects Version/s: None
          • Fix Version/s: 3.0.6, 2.7.17, 3.1.2
          • Component/s: JAX-RS Security
          • Labels:
            None
          • Estimated Complexity:
            Unknown

            Description

            According to this: http://www.w3.org/TR/cors/#resource-preflight-requests

            ...when Access-Control-Allow-Credentials: true is set, the response Origin: must be the same as the request Origin (see bullet #7).

            It doesn't say why in the RFC (that I could see), but I presume there are security implications.

              Attachments

                Activity

                  People

                  • Assignee:
                    sergey_beryozkin Sergey Beryozkin
                    Reporter:
                    justinsb Justin SB
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    1 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: