Add Access-Control-Request-Method check for CORS preflight requests
Issue: SPR-13193
This commit is contained in:
@@ -41,7 +41,8 @@ public class CorsUtils {
|
||||
* Returns {@code true} if the request is a valid CORS pre-flight one.
|
||||
*/
|
||||
public static boolean isPreFlightRequest(HttpServletRequest request) {
|
||||
return (isCorsRequest(request) && request.getMethod().equals(HttpMethod.OPTIONS.name()));
|
||||
return (isCorsRequest(request) && request.getMethod().equals(HttpMethod.OPTIONS.name())
|
||||
&& request.getHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD) != null);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user