Do not return Access-Control-Allow-Headers on Non-Preflight Cors requests
Motivation: The CorsHandler currently returns the Access-Control-Allow-Headers header as on a Non-Preflight CORS request (Simple request). As per the CORS specification the Access-Control-Allow-Headers header should only be returned on Preflight requests. (not on simple requests). https://www.w3.org/TR/2014/REC-cors-20140116/#access-control-allow-headers-response-header http://www.html5rocks.com/static/images/cors_server_flowchart.png Modifications: Modified CorsHandler.java to not add the Access-Control-Allow-Headers header when responding to Non-preflight CORS request. Result: Access-Control-Allow-Headers header will not be returned on a Simple request (Non-preflight CORS request).
This commit is contained in:
parent
fb3dc84e5b
commit
8d043cc4dd
@ -196,7 +196,6 @@ public class CorsHandler extends ChannelDuplexHandler {
|
|||||||
final HttpResponse response = (HttpResponse) msg;
|
final HttpResponse response = (HttpResponse) msg;
|
||||||
if (setOrigin(response)) {
|
if (setOrigin(response)) {
|
||||||
setAllowCredentials(response);
|
setAllowCredentials(response);
|
||||||
setAllowHeaders(response);
|
|
||||||
setExposeHeaders(response);
|
setExposeHeaders(response);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -68,6 +68,7 @@ public class CorsHandlerTest {
|
|||||||
public void simpleRequestWithAnyOrigin() {
|
public void simpleRequestWithAnyOrigin() {
|
||||||
final HttpResponse response = simpleRequest(forAnyOrigin().build(), "http://localhost:7777");
|
final HttpResponse response = simpleRequest(forAnyOrigin().build(), "http://localhost:7777");
|
||||||
assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is("*"));
|
assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is("*"));
|
||||||
|
assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue()));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -77,6 +78,7 @@ public class CorsHandlerTest {
|
|||||||
.build(), "null");
|
.build(), "null");
|
||||||
assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is("null"));
|
assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is("null"));
|
||||||
assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_CREDENTIALS), is(equalTo("true")));
|
assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_CREDENTIALS), is(equalTo("true")));
|
||||||
|
assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue()));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -84,6 +86,7 @@ public class CorsHandlerTest {
|
|||||||
final String origin = "http://localhost:8888";
|
final String origin = "http://localhost:8888";
|
||||||
final HttpResponse response = simpleRequest(forOrigin(origin).build(), origin);
|
final HttpResponse response = simpleRequest(forOrigin(origin).build(), origin);
|
||||||
assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(origin));
|
assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(origin));
|
||||||
|
assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue()));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -93,8 +96,10 @@ public class CorsHandlerTest {
|
|||||||
final String[] origins = {origin1, origin2};
|
final String[] origins = {origin1, origin2};
|
||||||
final HttpResponse response1 = simpleRequest(forOrigins(origins).build(), origin1);
|
final HttpResponse response1 = simpleRequest(forOrigins(origins).build(), origin1);
|
||||||
assertThat(response1.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(origin1));
|
assertThat(response1.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(origin1));
|
||||||
|
assertThat(response1.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue()));
|
||||||
final HttpResponse response2 = simpleRequest(forOrigins(origins).build(), origin2);
|
final HttpResponse response2 = simpleRequest(forOrigins(origins).build(), origin2);
|
||||||
assertThat(response2.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(origin2));
|
assertThat(response2.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(origin2));
|
||||||
|
assertThat(response2.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue()));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -103,6 +108,7 @@ public class CorsHandlerTest {
|
|||||||
final HttpResponse response = simpleRequest(
|
final HttpResponse response = simpleRequest(
|
||||||
forOrigins("https://localhost:8888").build(), origin);
|
forOrigins("https://localhost:8888").build(), origin);
|
||||||
assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(nullValue()));
|
assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(nullValue()));
|
||||||
|
assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue()));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
Loading…
Reference in New Issue
Block a user