Disable CORS credentials by default

Access-Control-Allow-Credentials CORS header, used to
allow cookies with CORS requests, is not set to true
anymore by default when enabling CORS with
@CrossOrigin or global CORS configuration in order to
provide a more secured default CORS configuration.

The related allowCredentials property now requires to
be set to true explicitly in order to support cookies
with CORS requests.

Issue: SPR-16130
This commit is contained in:
sdeleuze
2017-11-22 11:38:55 +01:00
parent 93f17dae47
commit 652e5c5584
10 changed files with 46 additions and 33 deletions

View File

@@ -903,7 +903,7 @@ public class MvcNamespaceTests {
assertArrayEquals(new String[]{"GET", "HEAD", "POST"}, config.getAllowedMethods().toArray());
assertArrayEquals(new String[]{"*"}, config.getAllowedHeaders().toArray());
assertNull(config.getExposedHeaders());
assertTrue(config.getAllowCredentials());
assertNull(config.getAllowCredentials());
assertEquals(Long.valueOf(1800), config.getMaxAge());
}
}
@@ -933,7 +933,7 @@ public class MvcNamespaceTests {
assertArrayEquals(new String[]{"GET", "HEAD", "POST"}, config.getAllowedMethods().toArray());
assertArrayEquals(new String[]{"*"}, config.getAllowedHeaders().toArray());
assertNull(config.getExposedHeaders());
assertTrue(config.getAllowCredentials());
assertNull(config.getAllowCredentials());
assertEquals(Long.valueOf(1800), config.getMaxAge());
}
}

View File

@@ -126,7 +126,7 @@ public class CrossOriginTests {
assertNotNull(config);
assertArrayEquals(new String[] {"GET"}, config.getAllowedMethods().toArray());
assertArrayEquals(new String[] {"*"}, config.getAllowedOrigins().toArray());
assertTrue(config.getAllowCredentials());
assertNull(config.getAllowCredentials());
assertArrayEquals(new String[] {"*"}, config.getAllowedHeaders().toArray());
assertTrue(CollectionUtils.isEmpty(config.getExposedHeaders()));
assertEquals(new Long(1800), config.getMaxAge());
@@ -155,7 +155,7 @@ public class CrossOriginTests {
CorsConfiguration config = getCorsConfiguration(chain, false);
assertNotNull(config);
assertEquals(Arrays.asList("http://example.com"), config.getAllowedOrigins());
assertTrue(config.getAllowCredentials());
assertNull(config.getAllowCredentials());
}
@Test
@@ -166,7 +166,7 @@ public class CrossOriginTests {
CorsConfiguration config = getCorsConfiguration(chain, false);
assertNotNull(config);
assertEquals(Arrays.asList("http://example.com"), config.getAllowedOrigins());
assertTrue(config.getAllowCredentials());
assertNull(config.getAllowCredentials());
}
@Test
@@ -243,7 +243,7 @@ public class CrossOriginTests {
assertNotNull(config);
assertArrayEquals(new String[] {"GET"}, config.getAllowedMethods().toArray());
assertArrayEquals(new String[] {"*"}, config.getAllowedOrigins().toArray());
assertTrue(config.getAllowCredentials());
assertNull(config.getAllowCredentials());
assertArrayEquals(new String[] {"*"}, config.getAllowedHeaders().toArray());
assertTrue(CollectionUtils.isEmpty(config.getExposedHeaders()));
assertEquals(new Long(1800), config.getMaxAge());