[Hawkular-dev] CORS filters
Juraci Paixão Kröhling
jpkroehling at redhat.com
Thu May 21 12:08:06 EDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
I noticed that some components are implementing a custom CORS filter.
This is a feature that is provided also by Keycloak, and
administrators can use KC to set what are the allowed origins and
methods via its UI.
If you absolutely need a custom CORS filter for a different reason,
make sure to:
1) tell Keycloak to not handle CORS on your behalf. For instance, if I
were to disable Keycloak's CORS filter for Accounts, I'd change this
line to "false":
http://git.io/vTrkl
2) validate the user input ("origin" is a value that can be faked), so
that you are not vulnerable to an HTTP splitting attack:
https://www.owasp.org/index.php/HTTP_Response_Splitting
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVXgLmAAoJECKM1e+fkPrX3lQH/3eeQ8DKNrhmy2S9B8ZBORZD
JTWQ4WC5oCD3yDfoaVRFZw2CXLYVH1exAogOpQgtMxb/2RLa4+8NsUQMYSN03dB+
4QykeC/qnpmrlvhANZ6NgquH5Qpq6neI+p0YPMESmmsrxXpkvDhwANATWJE7+hGi
xM/6TGdFSKSNckR/CcZMc+M6w2SQMLEqfvfQqbOoJKy3TUk5/8XZK1eeTf/R+pf1
Xw99TfBmlmyOxr5qsQboFYZgroURMTbyi6WeBDUb0pwi/xEFaNjFLQi+uv0m3Nn5
GuXUruw2GmGRuERn/o2z2AV+WW41FcacgU863ET6VkatHpYhyq2TqwRWJeEAUG8=
=RcuH
-----END PGP SIGNATURE-----
More information about the hawkular-dev
mailing list