Add Vary:Origin HTTP header in SockJS responses

This change adds a "Vary: Origin" HTTP response header for /info and
/iframe SockJS endpoints.
This is preventing proxies and browsers from caching a response and
reusing it for an invalid Origin.

Reference: https://groups.google.com/forum/#!topic/sockjs/svsLWRorSis

Issue: SPR-12310
This commit is contained in:
Brian Clozel
2014-10-08 16:37:50 +02:00
parent f518ad9009
commit 2a39081819
2 changed files with 5 additions and 1 deletions

View File

@@ -83,6 +83,7 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
assertEquals("*", this.servletResponse.getHeader("Access-Control-Allow-Origin"));
assertEquals("true", this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
assertEquals("no-store, no-cache, must-revalidate, max-age=0", this.servletResponse.getHeader("Cache-Control"));
assertEquals("Origin", this.servletResponse.getHeader("Vary"));
String body = this.servletResponse.getContentAsString();
assertEquals("{\"entropy\"", body.substring(0, body.indexOf(':')));
@@ -133,6 +134,7 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
assertEquals("Last-Modified", this.servletResponse.getHeader("Access-Control-Allow-Headers"));
assertEquals("OPTIONS, GET", this.servletResponse.getHeader("Access-Control-Allow-Methods"));
assertEquals("31536000", this.servletResponse.getHeader("Access-Control-Max-Age"));
assertEquals("Origin", this.servletResponse.getHeader("Vary"));
}
@Test