You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
sdeleuze
changed the title
Flaw in org.springframework.web.cors.CorsUtils#isCorsRequest
CorsUtils#isCorsRequest should detect same origin requests with an Origin header
Mar 4, 2019
This check is currently done as a second step at WebUtils#isSameOrigin level invoked by DefaultCorsProcessor#processRequest. That said, per RFC 6454 section 7.3, I tend to agree that this check should be invoked by CorsUtils#isCorsRequest for more correct semantics but I would like to avoid any performance regression, and I would like to see if we have possibilities to avoid duplicated CorsUtils#isCorsRequest, so I plan this one for 5.2 along to #22273 unless other team members think otherwise.
Affecting version: spring-web:5.1.3.RELEASE
Hello,
org.springframework.web.cors.CorsUtils#isCorsRequest
only check whether the request header "Origin" is null.But Chrome/Edge always send the "Origin" header in AJAX request even when it is not CORS request ( the target URL is the same domain ).
It is better to check that whether the "Origin" header is the same as the request URL in addition.
The text was updated successfully, but these errors were encountered: