https://issues.apache.org/bugzilla/show_bug.cgi?id=57178
--- Comment #4 from Gregor Zurowski <gzurow...@apache.org> --- No, is not needed, but I initially thought of a separate configuration option for making the decision of whether to allow the null origin more explicit. This also allows to control whether the default value "*" (any origin) of the existing configuration option 'cors.allowed.origins' includes or excludes the null origin. The proposed patch does not alter the current default behavior: if 'cors.allowed.origins' is set to "*", then the null origin is not allowed. It must be explicitly enabled by setting the new configuration option 'cors.allowed.nullorigins' to true, which might be useful for specific configuration needs. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
