[
https://issues.apache.org/jira/browse/NIFI-9241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nathan Gough updated NIFI-9241:
-------------------------------
Resolution: Fixed
Status: Resolved (was: Patch Available)
> Review CORS Security Configuration
> ----------------------------------
>
> Key: NIFI-9241
> URL: https://issues.apache.org/jira/browse/NIFI-9241
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core UI, Security
> Affects Versions: 1.8.0, 1.14.0
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> The NiFi Web Security Configuration includes a custom CORS Configuration
> Source that disallows HTTP POST requests for Template Uploads. The works as
> expected with direct access to the NiFi UI, but causes issues when attempting
> to upload a template to NiFi through a reverse proxy.
> When a web browser sends a template upload request that includes an
> unexpected {{Origin}} header, the Spring CORS Filter returns HTTP 403
> Forbidden with a response body containing the message {{Invalid CORS
> Request}}. NIFI-6080 describes a workaround that involves setting a
> different {{Origin}} header. The current approach as implemented in
> NIFI-5595 should be evaluated for potential improvements to avoid this
> behavior when running NiFi with a reverse proxy.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
