Set Vary: Origin on CORS unauthorized response

Issue: SPR-16224
This commit is contained in:
sdeleuze
2017-11-22 22:32:12 +01:00
parent 652e5c5584
commit 4a87d3da7b
4 changed files with 47 additions and 6 deletions

View File

@@ -119,6 +119,10 @@ public class DefaultCorsProcessor implements CorsProcessor {
String requestOrigin = request.getHeaders().getOrigin();
String allowOrigin = checkOrigin(config, requestOrigin);
HttpHeaders responseHeaders = response.getHeaders();
responseHeaders.add(HttpHeaders.VARY, HttpHeaders.ORIGIN);
if (allowOrigin == null) {
logger.debug("Rejecting CORS request because '" + requestOrigin + "' origin is not allowed");
rejectRequest(response);
@@ -141,9 +145,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
return false;
}
HttpHeaders responseHeaders = response.getHeaders();
responseHeaders.setAccessControlAllowOrigin(allowOrigin);
responseHeaders.add(HttpHeaders.VARY, HttpHeaders.ORIGIN);
if (preFlightRequest) {
responseHeaders.setAccessControlAllowMethods(allowMethods);

View File

@@ -105,6 +105,9 @@ public class DefaultCorsProcessor implements CorsProcessor {
ServerHttpRequest request = exchange.getRequest();
ServerHttpResponse response = exchange.getResponse();
HttpHeaders responseHeaders = response.getHeaders();
response.getHeaders().add(HttpHeaders.VARY, HttpHeaders.ORIGIN);
String requestOrigin = request.getHeaders().getOrigin();
String allowOrigin = checkOrigin(config, requestOrigin);
@@ -130,9 +133,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
return false;
}
HttpHeaders responseHeaders = response.getHeaders();
responseHeaders.setAccessControlAllowOrigin(allowOrigin);
responseHeaders.add(HttpHeaders.VARY, HttpHeaders.ORIGIN);
if (preFlightRequest) {
responseHeaders.setAccessControlAllowMethods(allowMethods);