'[Bug 62419] New: Avoid CORS Origin echoing by default'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-dev
Subject:    [Bug 62419] New: Avoid CORS Origin echoing by default
From:       bugzilla () apache ! org
Date:       2018-05-30 21:25:48
Message-ID: bug-62419-78 () https ! bz ! apache ! org/bugzilla/
[Download RAW message or body]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62419

            Bug ID: 62419
           Summary: Avoid CORS Origin echoing by default
           Product: Tomcat 8
           Version: 8.5.14
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: hauser@acm.org
  Target Milestone: ----

As per a hint we got from network security of rub.de,


              response.addHeader(
                    CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
                    "*");

is more secure than plain origin echoing.

Therefore, the easiest to get there might be to set the default of 
cors.support.credentials = false ?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic