Disable CORS credentials by default
Access-Control-Allow-Credentials CORS header, used to allow cookies with CORS requests, is not set to true anymore by default when enabling CORS with @CrossOrigin or global CORS configuration in order to provide a more secured default CORS configuration. The related allowCredentials property now requires to be set to true explicitly in order to support cookies with CORS requests. Issue: SPR-16130
This commit is contained in:
@@ -903,7 +903,7 @@ public class MvcNamespaceTests {
|
||||
assertArrayEquals(new String[]{"GET", "HEAD", "POST"}, config.getAllowedMethods().toArray());
|
||||
assertArrayEquals(new String[]{"*"}, config.getAllowedHeaders().toArray());
|
||||
assertNull(config.getExposedHeaders());
|
||||
assertTrue(config.getAllowCredentials());
|
||||
assertNull(config.getAllowCredentials());
|
||||
assertEquals(Long.valueOf(1800), config.getMaxAge());
|
||||
}
|
||||
}
|
||||
@@ -933,7 +933,7 @@ public class MvcNamespaceTests {
|
||||
assertArrayEquals(new String[]{"GET", "HEAD", "POST"}, config.getAllowedMethods().toArray());
|
||||
assertArrayEquals(new String[]{"*"}, config.getAllowedHeaders().toArray());
|
||||
assertNull(config.getExposedHeaders());
|
||||
assertTrue(config.getAllowCredentials());
|
||||
assertNull(config.getAllowCredentials());
|
||||
assertEquals(Long.valueOf(1800), config.getMaxAge());
|
||||
}
|
||||
}
|
||||
|
||||
@@ -126,7 +126,7 @@ public class CrossOriginTests {
|
||||
assertNotNull(config);
|
||||
assertArrayEquals(new String[] {"GET"}, config.getAllowedMethods().toArray());
|
||||
assertArrayEquals(new String[] {"*"}, config.getAllowedOrigins().toArray());
|
||||
assertTrue(config.getAllowCredentials());
|
||||
assertNull(config.getAllowCredentials());
|
||||
assertArrayEquals(new String[] {"*"}, config.getAllowedHeaders().toArray());
|
||||
assertTrue(CollectionUtils.isEmpty(config.getExposedHeaders()));
|
||||
assertEquals(new Long(1800), config.getMaxAge());
|
||||
@@ -155,7 +155,7 @@ public class CrossOriginTests {
|
||||
CorsConfiguration config = getCorsConfiguration(chain, false);
|
||||
assertNotNull(config);
|
||||
assertEquals(Arrays.asList("http://example.com"), config.getAllowedOrigins());
|
||||
assertTrue(config.getAllowCredentials());
|
||||
assertNull(config.getAllowCredentials());
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -166,7 +166,7 @@ public class CrossOriginTests {
|
||||
CorsConfiguration config = getCorsConfiguration(chain, false);
|
||||
assertNotNull(config);
|
||||
assertEquals(Arrays.asList("http://example.com"), config.getAllowedOrigins());
|
||||
assertTrue(config.getAllowCredentials());
|
||||
assertNull(config.getAllowCredentials());
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -243,7 +243,7 @@ public class CrossOriginTests {
|
||||
assertNotNull(config);
|
||||
assertArrayEquals(new String[] {"GET"}, config.getAllowedMethods().toArray());
|
||||
assertArrayEquals(new String[] {"*"}, config.getAllowedOrigins().toArray());
|
||||
assertTrue(config.getAllowCredentials());
|
||||
assertNull(config.getAllowCredentials());
|
||||
assertArrayEquals(new String[] {"*"}, config.getAllowedHeaders().toArray());
|
||||
assertTrue(CollectionUtils.isEmpty(config.getExposedHeaders()));
|
||||
assertEquals(new Long(1800), config.getMaxAge());
|
||||
|
||||
Reference in New Issue
Block a user