Disable CORS credentials by default

Access-Control-Allow-Credentials CORS header, used to
allow cookies with CORS requests, is not set to true
anymore by default when enabling CORS with
@CrossOrigin or global CORS configuration in order to
provide a more secured default CORS configuration.

The related allowCredentials property now requires to
be set to true explicitly in order to support cookies
with CORS requests.

Issue: SPR-16130
This commit is contained in:
sdeleuze
2017-11-22 11:38:55 +01:00
parent 93f17dae47
commit 652e5c5584
10 changed files with 46 additions and 33 deletions

View File

@@ -28,7 +28,7 @@ import org.springframework.web.cors.CorsConfiguration;
/**
* Marks the annotated method or type as permitting cross origin requests.
*
* <p>By default all origins and headers are permitted, credentials are allowed,
* <p>By default all origins and headers are permitted, credentials are not allowed,
* and the maximum age is set to 1800 seconds (30 minutes). The list of HTTP
* methods is set to the methods on the {@code @RequestMapping} if not
* explicitly set on {@code @CrossOrigin}.
@@ -64,7 +64,7 @@ public @interface CrossOrigin {
* @deprecated as of Spring 5.0, in favor of using {@link CorsConfiguration#applyPermitDefaultValues}
*/
@Deprecated
boolean DEFAULT_ALLOW_CREDENTIALS = true;
boolean DEFAULT_ALLOW_CREDENTIALS = false;
/**
* @deprecated as of Spring 5.0, in favor of using {@link CorsConfiguration#applyPermitDefaultValues}
@@ -118,12 +118,13 @@ public @interface CrossOrigin {
/**
* Whether the browser should include any cookies associated with the
* domain of the request being annotated.
* <p>Set to {@code "false"} if such cookies should not included.
* An empty string ({@code ""}) means <em>undefined</em>.
* {@code "true"} means that the pre-flight response will include the header
* {@code Access-Control-Allow-Credentials=true}.
* <p>If undefined, credentials are allowed.
* domain of the request being annotated. Be aware that enabling this option could
* increase the surface attack of the web application (for example via exposing
* sensitive user-specific information like CSRF tokens).
* <p>Set to {@code "true"} means that the pre-flight response will include the header
* {@code Access-Control-Allow-Credentials=true} so such cookies should be included.
* <p>If undefined or set to {@code "false"}, such header is not included and
* credentials are not allowed.
*/
String allowCredentials() default "";

View File

@@ -324,7 +324,6 @@ public class CorsConfiguration {
* <li>Allow all origins, i.e. {@code "*"}.</li>
* <li>Allow "simple" methods {@code GET}, {@code HEAD} and {@code POST}.</li>
* <li>Allow all headers.</li>
* <li>Allow credentials.</li>
* <li>Set max age to 1800 seconds (30 minutes).</li>
* </ul>
*/
@@ -339,9 +338,6 @@ public class CorsConfiguration {
if (this.allowedHeaders == null) {
this.addAllowedHeader(ALL);
}
if (this.allowCredentials == null) {
this.setAllowCredentials(true);
}
if (this.maxAge == null) {
this.setMaxAge(1800L);
}