[jboss-jira] [JBoss JIRA] (WFCORE-1672) Add 'Vary: Origin' header to CorsHttpHandler
Harald Pehl (JIRA)
issues at jboss.org
Tue Jul 26 04:16:03 EDT 2016
[ https://issues.jboss.org/browse/WFCORE-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Harald Pehl updated WFCORE-1672:
--------------------------------
Description:
The management endpoint can be accessed from a list of allowed origins. In that case CORS relevant headers such as {{Access-Control-Allow-Origin: <allowed origin>}} are added to response.
Since the list of allowed origins is dynamic, the header {{Vary: Origin}} should be added as well. See [https://www.w3.org/TR/cors/#resource-implementation].
Without the {{Vary}} header being present in the response, the client uses responses from the cache which have an origin that does not match the current origin. Consider this scenario:
# http://localhost:3000 (client1) and http://localhost:4000 (client2) are both configured as allowed origins
# client1 reads a resource description using http://localhost:9990/management/profile/default/subsystem/batch-jberet?operation=resource-description. Since it's a GET request the response is cached.
# client2 reads the same resource description
Without the {{Vary}} header, client2 would use the cached response. However the origin in the cached response (http://localhost:3000) does not match the current origin (http://localhost:4000), which causes errors.
was:
The management endpoint can be accessed from a list of allowed origins. In that case CORS relevant headers such as {{Access-Control-Allow-Origin: <allowed origin>}} are added to response.
Since the list of allowed origins is dynamic, the header {{Vary: Origin}} should be added as well. See [https://www.w3.org/TR/cors/#resource-implementation].
> Add 'Vary: Origin' header to CorsHttpHandler
> --------------------------------------------
>
> Key: WFCORE-1672
> URL: https://issues.jboss.org/browse/WFCORE-1672
> Project: WildFly Core
> Issue Type: Enhancement
> Components: Domain Management
> Reporter: Harald Pehl
> Assignee: Harald Pehl
>
> The management endpoint can be accessed from a list of allowed origins. In that case CORS relevant headers such as {{Access-Control-Allow-Origin: <allowed origin>}} are added to response.
> Since the list of allowed origins is dynamic, the header {{Vary: Origin}} should be added as well. See [https://www.w3.org/TR/cors/#resource-implementation].
> Without the {{Vary}} header being present in the response, the client uses responses from the cache which have an origin that does not match the current origin. Consider this scenario:
> # http://localhost:3000 (client1) and http://localhost:4000 (client2) are both configured as allowed origins
> # client1 reads a resource description using http://localhost:9990/management/profile/default/subsystem/batch-jberet?operation=resource-description. Since it's a GET request the response is cached.
> # client2 reads the same resource description
> Without the {{Vary}} header, client2 would use the cached response. However the origin in the cached response (http://localhost:3000) does not match the current origin (http://localhost:4000), which causes errors.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list