- 19 2月, 2015 2 次提交
-
-
由 Sebastien Deleuze 提交于
This commit adds support for a same origin check that compares Origin header to Host header. It also changes the default setting from all origins allowed to only same origin allowed. Issues: SPR-12697, SPR-12685 (cherry picked from commit 6062e155)
-
由 Sebastien Deleuze 提交于
This commit introduces the following changes: - Requests without Origin header are not rejected anymore - Disable Iframe when allowedOrigins is not empty and not equals to * - The Iframe is not cached anymore in order to have a reliable origin check - allowedOrigins must not be null or empty - allowedOrigins format is now validated (should be * or start by http(s)://) Issue: SPR-12660 (cherry picked from commit 9b3319b3)
-
- 01 11月, 2014 1 次提交
-
-
由 Sam Brannen 提交于
-
- 27 10月, 2014 2 次提交
-
-
由 Rossen Stoyanchev 提交于
-
由 Sebastien Deleuze 提交于
This commit introduces a new OriginHandshakeInterceptor. It filters Origin header value against a list of allowed origins. AbstractSockJsService as been modified to: - Reject CORS requests with forbidden origins - Disable transport types that does not support CORS when an origin check is required - Use the Origin request header value instead of "*" for Access-Control-Allow-Origin response header value (mandatory when Access-Control-Allow-Credentials=true) - Return CORS header only if the request contains an Origin header It is possible to configure easily this behavior thanks to JavaConfig API WebSocketHandlerRegistration#addAllowedOrigins(String...) and StompWebSocketEndpointRegistration#addAllowedOrigins(String...). It is also possible to configure it using the websocket XML namespace. Please notice that this commit does not change the default behavior: cross origin requests are still enabled by default. Issues: SPR-12226
-