From 8d043cc4ddf585261b86fafbee52625be9a38f04 Mon Sep 17 00:00:00 2001 From: Akhil Date: Mon, 15 Aug 2016 13:22:15 -0400 Subject: [PATCH] Do not return Access-Control-Allow-Headers on Non-Preflight Cors requests Motivation: The CorsHandler currently returns the Access-Control-Allow-Headers header as on a Non-Preflight CORS request (Simple request). As per the CORS specification the Access-Control-Allow-Headers header should only be returned on Preflight requests. (not on simple requests). https://www.w3.org/TR/2014/REC-cors-20140116/#access-control-allow-headers-response-header http://www.html5rocks.com/static/images/cors_server_flowchart.png Modifications: Modified CorsHandler.java to not add the Access-Control-Allow-Headers header when responding to Non-preflight CORS request. Result: Access-Control-Allow-Headers header will not be returned on a Simple request (Non-preflight CORS request). --- .../java/io/netty/handler/codec/http/cors/CorsHandler.java | 1 - .../io/netty/handler/codec/http/cors/CorsHandlerTest.java | 6 ++++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/cors/CorsHandler.java b/codec-http/src/main/java/io/netty/handler/codec/http/cors/CorsHandler.java index d4a43fcaa2..b3bda3d004 100644 --- a/codec-http/src/main/java/io/netty/handler/codec/http/cors/CorsHandler.java +++ b/codec-http/src/main/java/io/netty/handler/codec/http/cors/CorsHandler.java @@ -196,7 +196,6 @@ public class CorsHandler extends ChannelDuplexHandler { final HttpResponse response = (HttpResponse) msg; if (setOrigin(response)) { setAllowCredentials(response); - setAllowHeaders(response); setExposeHeaders(response); } } diff --git a/codec-http/src/test/java/io/netty/handler/codec/http/cors/CorsHandlerTest.java b/codec-http/src/test/java/io/netty/handler/codec/http/cors/CorsHandlerTest.java index df075e7fdb..9e170326b9 100644 --- a/codec-http/src/test/java/io/netty/handler/codec/http/cors/CorsHandlerTest.java +++ b/codec-http/src/test/java/io/netty/handler/codec/http/cors/CorsHandlerTest.java @@ -68,6 +68,7 @@ public class CorsHandlerTest { public void simpleRequestWithAnyOrigin() { final HttpResponse response = simpleRequest(forAnyOrigin().build(), "http://localhost:7777"); assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is("*")); + assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue())); } @Test @@ -77,6 +78,7 @@ public class CorsHandlerTest { .build(), "null"); assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is("null")); assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_CREDENTIALS), is(equalTo("true"))); + assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue())); } @Test @@ -84,6 +86,7 @@ public class CorsHandlerTest { final String origin = "http://localhost:8888"; final HttpResponse response = simpleRequest(forOrigin(origin).build(), origin); assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(origin)); + assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue())); } @Test @@ -93,8 +96,10 @@ public class CorsHandlerTest { final String[] origins = {origin1, origin2}; final HttpResponse response1 = simpleRequest(forOrigins(origins).build(), origin1); assertThat(response1.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(origin1)); + assertThat(response1.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue())); final HttpResponse response2 = simpleRequest(forOrigins(origins).build(), origin2); assertThat(response2.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(origin2)); + assertThat(response2.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue())); } @Test @@ -103,6 +108,7 @@ public class CorsHandlerTest { final HttpResponse response = simpleRequest( forOrigins("https://localhost:8888").build(), origin); assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(nullValue())); + assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue())); } @Test