Hi Mantas, I assume you are referring to CORS as described here (https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS). Does the Qpid web console actually do any cross-origin requests that would require a pre-flight request (https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request)?
I didn’t think it did, but I certainly could be wrong. -- Tom From: Mantas Gridinas <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Thursday, July 15, 2021 at 10:50 AM To: "[email protected]" <[email protected]> Subject: Re: [Broker-J] Http management interface should ignore OPTIONS method Sadly options request is necessary for browsers to assert whether or not the result of a request should be exposed to caller, isn't it? On Thu, Jul 15, 2021, 17:47 Tom Jordahl <[email protected]<mailto:[email protected]>> wrote: Hello Devs, In our environment we run security scanning tools. They flag any HTTP port that supports the OPTIONS method as a problem: “Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts.” I don’t see Qpid having any need to support this method, so I have filed a bug with a patch that blocks the OPTIONS method: https://issues.apache.org/jira/browse/QPID-8552. I would love to have this patch in the next 8.x release of Broker-J. Thoughts? -- Tom
