[jboss-as7-dev] Cross-Origin Resource Sharing

Heiko Braun hbraun at redhat.com
Tue Feb 26 05:16:23 EST 2013



Btw, what are the security concerns with this?

On Feb 26, 2013, at 11:12 AM, Heiko Braun <hbraun at redhat.com> wrote:

> Thanks Darran.
> 
> On Feb 26, 2013, at 11:07 AM, Darran Lofthouse <darran.lofthouse at jboss.com> wrote:
> 
>> Here is the issue: -
>> 
>> https://issues.jboss.org/browse/AS7-2564
>> 
>> On 02/26/2013 09:56 AM, Darran Lofthouse wrote:
>>> No we never "supported" it - what we had was a HTTP management interface
>>> potentially vulnerable to cross site scripting attacks.  As the console
>>> is served from the same server as the management interface we closed
>>> this down to completely ban cross origin requests.
>>> 
>>> There is an old Jira somewhere to look into allowing configuration to
>>> relax it but that would be better to review after moving to Undertow.
>>> 
>>> Regards,
>>> Darran Lofthouse.
>>> 
>>> 
>>> On 02/26/2013 09:47 AM, Heiko Braun wrote:
>>>> 
>>>> 
>>>> At some point we used to have support for ${subject} for accessing the domain management HTTP interface. Does anybody remember why it has been removed? Looking at the current domain API handler implementation it seems CORS has been explicitly been prevented.
>>>> 
>>>> Regards, Heiko
>>>> 
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> jboss-as7-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>> 
> 
> 
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev




More information about the jboss-as7-dev mailing list