[prev in list] [next in list] [prev in thread] [next in thread]
List: tomcat-dev
Subject: [Bug 62419] New: Avoid CORS Origin echoing by default
From: bugzilla () apache ! org
Date: 2018-05-30 21:25:48
Message-ID: bug-62419-78 () https ! bz ! apache ! org/bugzilla/
[Download RAW message or body]
https://bz.apache.org/bugzilla/show_bug.cgi?id=62419
Bug ID: 62419
Summary: Avoid CORS Origin echoing by default
Product: Tomcat 8
Version: 8.5.14
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: hauser@acm.org
Target Milestone: ----
As per a hint we got from network security of rub.de,
response.addHeader(
CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
"*");
is more secure than plain origin echoing.
Therefore, the easiest to get there might be to set the default of
cors.support.credentials = false ?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic