Set Vary: Origin on CORS unauthorized response
Issue: SPR-16224
This commit is contained in:
@@ -119,6 +119,10 @@ public class DefaultCorsProcessor implements CorsProcessor {
|
||||
|
||||
String requestOrigin = request.getHeaders().getOrigin();
|
||||
String allowOrigin = checkOrigin(config, requestOrigin);
|
||||
HttpHeaders responseHeaders = response.getHeaders();
|
||||
|
||||
responseHeaders.add(HttpHeaders.VARY, HttpHeaders.ORIGIN);
|
||||
|
||||
if (allowOrigin == null) {
|
||||
logger.debug("Rejecting CORS request because '" + requestOrigin + "' origin is not allowed");
|
||||
rejectRequest(response);
|
||||
@@ -141,9 +145,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
|
||||
return false;
|
||||
}
|
||||
|
||||
HttpHeaders responseHeaders = response.getHeaders();
|
||||
responseHeaders.setAccessControlAllowOrigin(allowOrigin);
|
||||
responseHeaders.add(HttpHeaders.VARY, HttpHeaders.ORIGIN);
|
||||
|
||||
if (preFlightRequest) {
|
||||
responseHeaders.setAccessControlAllowMethods(allowMethods);
|
||||
|
||||
@@ -105,6 +105,9 @@ public class DefaultCorsProcessor implements CorsProcessor {
|
||||
|
||||
ServerHttpRequest request = exchange.getRequest();
|
||||
ServerHttpResponse response = exchange.getResponse();
|
||||
HttpHeaders responseHeaders = response.getHeaders();
|
||||
|
||||
response.getHeaders().add(HttpHeaders.VARY, HttpHeaders.ORIGIN);
|
||||
|
||||
String requestOrigin = request.getHeaders().getOrigin();
|
||||
String allowOrigin = checkOrigin(config, requestOrigin);
|
||||
@@ -130,9 +133,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
|
||||
return false;
|
||||
}
|
||||
|
||||
HttpHeaders responseHeaders = response.getHeaders();
|
||||
responseHeaders.setAccessControlAllowOrigin(allowOrigin);
|
||||
responseHeaders.add(HttpHeaders.VARY, HttpHeaders.ORIGIN);
|
||||
|
||||
if (preFlightRequest) {
|
||||
responseHeaders.setAccessControlAllowMethods(allowMethods);
|
||||
|
||||
Reference in New Issue
Block a user