jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oliver Lietz (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JCR-3727) enable CORS preflight requests on AbstractWebdavServlet
Date Mon, 17 Feb 2014 09:54:20 GMT

    [ https://issues.apache.org/jira/browse/JCR-3727?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13903107#comment-13903107
] 

Oliver Lietz commented on JCR-3727:
-----------------------------------

This is used for a Dart (web) client running against Sling doing read and write requests.

After reading some articles about CORS my understanding is that {{Origin}}/{{Access-Control-Allow-Origin}}
is only for doing some limited protection on the client.

http://www.w3.org/TR/cors/#resource-preflight-requests

{quote}
7. If the resource supports credentials add a single Access-Control-Allow-Origin header, with
the value of the Origin header as value, and add a single Access-Control-Allow-Credentials
header with the case-sensitive string "true" as value.

Otherwise, add a single Access-Control-Allow-Origin header, with either the value of the Origin
header or the string "*" as value.

The string "*" cannot be used for a resource that supports credentials.
{quote}

https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS
https://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/
http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing
http://stackoverflow.com/questions/19322973/security-implications-of-adding-all-domains-to-cors-access-control-allow-origin
http://stackoverflow.com/questions/9713644/when-is-it-safe-to-enable-cors

As we need credentials to access the repository and don't respond with {{*}} for {{Access-Control-Allow-Origin}}
I don't think that this disables CORS security.

But setting headers can be dropped completely and done in an additional servlet filter. We
only need setting status here and return.

The code can also be moved to a {{CorsUtil}} like it's done with CSRF.

> enable CORS preflight requests on AbstractWebdavServlet
> -------------------------------------------------------
>
>                 Key: JCR-3727
>                 URL: https://issues.apache.org/jira/browse/JCR-3727
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-webdav
>    Affects Versions: 2.4.5, 2.6.5, 2.7.5
>            Reporter: Oliver Lietz
>              Labels: CORS
>         Attachments: JCR-3727-2.4.diff
>
>
> see http://www.w3.org/TR/cors/



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message