Improve docs on forwarded headers
Issue: SPR-16660
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -81,6 +81,13 @@ public @interface CrossOrigin {
|
||||
* <p>A matched origin is listed in the {@code Access-Control-Allow-Origin}
|
||||
* response header of preflight actual CORS requests.
|
||||
* <p>By default all origins are allowed.
|
||||
* <p><strong>Note:</strong> CORS checks use values from "Forwarded"
|
||||
* (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>),
|
||||
* "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
|
||||
* if present, in order to reflect the client-originated address.
|
||||
* Consider using the {@code ForwardedHeaderFilter} in order to choose from a
|
||||
* central place whether to extract and use, or to discard such headers.
|
||||
* See the Spring Framework reference for more on this filter.
|
||||
* @see #value
|
||||
*/
|
||||
@AliasFor("value")
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -145,6 +145,13 @@ public class CorsConfiguration {
|
||||
* <p>The special value {@code "*"} allows all methods.
|
||||
* <p>If not set, only {@code "GET"} and {@code "HEAD"} are allowed.
|
||||
* <p>By default this is not set.
|
||||
* <p><strong>Note:</strong> CORS checks use values from "Forwarded"
|
||||
* (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>),
|
||||
* "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
|
||||
* if present, in order to reflect the client-originated address.
|
||||
* Consider using the {@code ForwardedHeaderFilter} in order to choose from a
|
||||
* central place whether to extract and use, or to discard such headers.
|
||||
* See the Spring Framework reference for more on this filter.
|
||||
*/
|
||||
public void setAllowedMethods(@Nullable List<String> allowedMethods) {
|
||||
this.allowedMethods = (allowedMethods != null ? new ArrayList<>(allowedMethods) : null);
|
||||
|
||||
@@ -54,6 +54,13 @@ public abstract class CorsUtils {
|
||||
* @code X-Forwarded-Port} headers.
|
||||
* @return {@code true} if the request is a same-origin one, {@code false} in case
|
||||
* of a cross-origin request
|
||||
* <p><strong>Note:</strong> this method uses values from "Forwarded"
|
||||
* (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>),
|
||||
* "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
|
||||
* if present, in order to reflect the client-originated address.
|
||||
* Consider using the {@code ForwardedHeaderFilter} in order to choose from a
|
||||
* central place whether to extract and use, or to discard such headers.
|
||||
* See the Spring Framework reference for more on this filter.
|
||||
*/
|
||||
public static boolean isSameOrigin(ServerHttpRequest request) {
|
||||
String origin = request.getHeaders().getOrigin();
|
||||
|
||||
@@ -677,6 +677,13 @@ public abstract class WebUtils {
|
||||
* Check the given request origin against a list of allowed origins.
|
||||
* A list containing "*" means that all origins are allowed.
|
||||
* An empty list means only same origin is allowed.
|
||||
* <p><strong>Note:</strong> this method may use values from "Forwarded"
|
||||
* (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>),
|
||||
* "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
|
||||
* if present, in order to reflect the client-originated address.
|
||||
* Consider using the {@code ForwardedHeaderFilter} in order to choose from a
|
||||
* central place whether to extract and use, or to discard such headers.
|
||||
* See the Spring Framework reference for more on this filter.
|
||||
* @return {@code true} if the request origin is valid, {@code false} otherwise
|
||||
* @since 4.1.5
|
||||
* @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454: The Web Origin Concept</a>
|
||||
@@ -701,6 +708,13 @@ public abstract class WebUtils {
|
||||
* Check if the request is a same-origin one, based on {@code Origin}, {@code Host},
|
||||
* {@code Forwarded}, {@code X-Forwarded-Proto}, {@code X-Forwarded-Host} and
|
||||
* @code X-Forwarded-Port} headers.
|
||||
* <p><strong>Note:</strong> this method uses values from "Forwarded"
|
||||
* (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>),
|
||||
* "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
|
||||
* if present, in order to reflect the client-originated address.
|
||||
* Consider using the {@code ForwardedHeaderFilter} in order to choose from a
|
||||
* central place whether to extract and use, or to discard such headers.
|
||||
* See the Spring Framework reference for more on this filter.
|
||||
* @return {@code true} if the request is a same-origin one, {@code false} in case
|
||||
* of cross-origin request
|
||||
* @since 4.2
|
||||
|
||||
Reference in New Issue
Block a user