[keycloak-user] CORS only for OPTIONS?
Bill Burke
bburke at redhat.com
Wed Apr 2 15:30:03 EDT 2014
Which headers are we not sending back? The way it works is that for
non-authenticated requests, we do handle pre-flight requests, but not
regular requests. If the request is authenticated then we valid the
origin vs. the allowed origins in the token.
On 4/2/2014 2:39 PM, Juraci Paixão Kröhling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hello,
>
> I've noticed that KC sets the CORS headers only during pre-flight
> request, not on the regular requests. While this is in accordance with
> the documentation, I'm wondering if there's a reason for not sending
> the CORS headers for non-OPTIONS headers as well. As it currently is,
> I'd have to implement the CORS response filter in my application
> anyway, so, I'm wondering in which scenarios I'd delegate this to KC.
>
> By the way, it seems that setting "enable-cors" to false has no
> effect, as the headers are still being added by KC.
>
> Juca.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBCgAGBQJTPFlTAAoJEDnJtskdmzLMWsMIAJ8vUxOUz+XKJQqQD5TceG40
> d0A0TZC4zuypgezorGASvL7mSb7NbElytI07zXfH1fD/kNwCZn3wO1oyXNjGA+BY
> TzVB+jfViDpEYNYqtlL93WlkcqS+uaAmrBL0ag1N6L1OHWlN7QnYhxIZckSgTW99
> t0P3U02Qr0dnmKuS8JzeKemKKC8rF3uR0cIBRi7+s3gsBUXDWmL9fYAvzcSLcX5h
> mA4Qn7eGCW6T5bSE6HzTzCtSxFbpkuSRQwXb77+n4HnZ2RHMGdeDLcMcObEIr2RF
> 63w2XafaJ2/p9yVRL55gwuyQH198p8dzpvBfvxO5sGMreTCeWt2nDfnBrjBNxek=
> =DfVk
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list