[ https://issues.apache.org/jira/browse/JCR-3727?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13903107#comment-13903107 ]
Oliver Lietz commented on JCR-3727: ----------------------------------- This is used for a Dart (web) client running against Sling doing read and write requests. After reading some articles about CORS my understanding is that {{Origin}}/{{Access-Control-Allow-Origin}} is only for doing some limited protection on the client. http://www.w3.org/TR/cors/#resource-preflight-requests {quote} 7. If the resource supports credentials add a single Access-Control-Allow-Origin header, with the value of the Origin header as value, and add a single Access-Control-Allow-Credentials header with the case-sensitive string "true" as value. Otherwise, add a single Access-Control-Allow-Origin header, with either the value of the Origin header or the string "*" as value. The string "*" cannot be used for a resource that supports credentials. {quote} https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS https://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/ http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing http://stackoverflow.com/questions/19322973/security-implications-of-adding-all-domains-to-cors-access-control-allow-origin http://stackoverflow.com/questions/9713644/when-is-it-safe-to-enable-cors As we need credentials to access the repository and don't respond with {{*}} for {{Access-Control-Allow-Origin}} I don't think that this disables CORS security. But setting headers can be dropped completely and done in an additional servlet filter. We only need setting status here and return. The code can also be moved to a {{CorsUtil}} like it's done with CSRF. > enable CORS preflight requests on AbstractWebdavServlet > ------------------------------------------------------- > > Key: JCR-3727 > URL: https://issues.apache.org/jira/browse/JCR-3727 > Project: Jackrabbit Content Repository > Issue Type: Improvement > Components: jackrabbit-webdav > Affects Versions: 2.4.5, 2.6.5, 2.7.5 > Reporter: Oliver Lietz > Labels: CORS > Attachments: JCR-3727-2.4.diff > > > see http://www.w3.org/TR/cors/ -- This message was sent by Atlassian JIRA (v6.1.5#6160)