[jira] [Commented] (JCR-3727) enable CORS preflight requests on AbstractWebdavServlet

Mon, 17 Feb 2014 01:55:18 -0800 

    [ 
https://issues.apache.org/jira/browse/JCR-3727?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13903107#comment-13903107
 ] 

Oliver Lietz commented on JCR-3727:
-----------------------------------

This is used for a Dart (web) client running against Sling doing read and write 
requests.

After reading some articles about CORS my understanding is that 
{{Origin}}/{{Access-Control-Allow-Origin}} is only for doing some limited 
protection on the client.

http://www.w3.org/TR/cors/#resource-preflight-requests

{quote}
7. If the resource supports credentials add a single 
Access-Control-Allow-Origin header, with the value of the Origin header as 
value, and add a single Access-Control-Allow-Credentials header with the 
case-sensitive string "true" as value.

Otherwise, add a single Access-Control-Allow-Origin header, with either the 
value of the Origin header or the string "*" as value.

The string "*" cannot be used for a resource that supports credentials.
{quote}

https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS
https://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/
http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing
http://stackoverflow.com/questions/19322973/security-implications-of-adding-all-domains-to-cors-access-control-allow-origin
http://stackoverflow.com/questions/9713644/when-is-it-safe-to-enable-cors

As we need credentials to access the repository and don't respond with {{*}} 
for {{Access-Control-Allow-Origin}} I don't think that this disables CORS 
security.

But setting headers can be dropped completely and done in an additional servlet 
filter. We only need setting status here and return.

The code can also be moved to a {{CorsUtil}} like it's done with CSRF.

> enable CORS preflight requests on AbstractWebdavServlet
> -------------------------------------------------------
>
>                 Key: JCR-3727
>                 URL: https://issues.apache.org/jira/browse/JCR-3727
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-webdav
>    Affects Versions: 2.4.5, 2.6.5, 2.7.5
>            Reporter: Oliver Lietz
>              Labels: CORS
>         Attachments: JCR-3727-2.4.diff
>
>
> see http://www.w3.org/TR/cors/



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to