camel-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nicola Ferraro (JIRA)" <>
Subject [jira] [Resolved] (CAMEL-10913) CORS header Access-Control-Allow-Credentials not managed correctly
Date Tue, 14 Mar 2017 12:01:41 GMT


Nicola Ferraro resolved CAMEL-10913.
    Resolution: Fixed

Added the 'corsAllowCredentials' DSL method as a shortcut for setting the related flag.
Added also "Access-Control-Allow-Credentials" to the set of CORS headers (empty by default).

> CORS header Access-Control-Allow-Credentials not managed correctly
> ------------------------------------------------------------------
>                 Key: CAMEL-10913
>                 URL:
>             Project: Camel
>          Issue Type: Bug
>          Components: camel-http-common
>            Reporter: Nicola Ferraro
>            Assignee: Nicola Ferraro
>             Fix For: 2.19.0
> When a browser uses the "withCredentials" flag (not visible in HTTP request headers),
it accepts the response only if the "Access-Control-Allow-Credentials" header returned by
the server is set to "true".
> That header is not part of Camel standard cors headers, but it can be set in the route.
The problem is that when "Access-Control-Allow-Credentials" is set to "true", the "Access-Control-Allow-Origin"
header cannot be set to "*", which is our default ( - section 6.1,
point 3).
> Setting a value for the "Access-Control-Allow-Origin" header equals to the "Origin" header
of the request makes the trick, but this must be set per-route, and *CORS must be disabled*.
> Eg. 
> {code}
> // do not enable cors
> rest().get("/hello")
>   .route()
>   .to("direct:handle")
>   .setHeader("Access-Control-Allow-Credentials", constant("true"))
>   .setHeader("Access-Control-Allow-Origin", header("Origin"));
> {code}
> Otherwise the only option is setting a fixed allowed origin if you know it in advance.
> I wonder if we should add e.g. a ".corsAllowCredentials(boolean)" configuration to handle
this situation correctly, or another flag to reflect the origin instead of returning "*".

This message was sent by Atlassian JIRA

View raw message