Add Vary:Origin HTTP header in SockJS responses
This change adds a "Vary: Origin" HTTP response header for /info and /iframe SockJS endpoints. This is preventing proxies and browsers from caching a response and reusing it for an invalid Origin. Reference: https://groups.google.com/forum/#!topic/sockjs/svsLWRorSis Issue: SPR-12310
This commit is contained in:
@@ -83,6 +83,7 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
|
||||
assertEquals("*", this.servletResponse.getHeader("Access-Control-Allow-Origin"));
|
||||
assertEquals("true", this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
|
||||
assertEquals("no-store, no-cache, must-revalidate, max-age=0", this.servletResponse.getHeader("Cache-Control"));
|
||||
assertEquals("Origin", this.servletResponse.getHeader("Vary"));
|
||||
|
||||
String body = this.servletResponse.getContentAsString();
|
||||
assertEquals("{\"entropy\"", body.substring(0, body.indexOf(':')));
|
||||
@@ -133,6 +134,7 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
|
||||
assertEquals("Last-Modified", this.servletResponse.getHeader("Access-Control-Allow-Headers"));
|
||||
assertEquals("OPTIONS, GET", this.servletResponse.getHeader("Access-Control-Allow-Methods"));
|
||||
assertEquals("31536000", this.servletResponse.getHeader("Access-Control-Max-Age"));
|
||||
assertEquals("Origin", this.servletResponse.getHeader("Vary"));
|
||||
}
|
||||
|
||||
@Test
|
||||
|
||||
Reference in New Issue
Block a user