I am not really sure myself. Just threw that out as something that might break.
On Thu, Jul 15, 2021, 20:34 Tom Jordahl <tjord...@adobe.com.invalid> wrote: > Hi Mantas, > > I assume you are referring to CORS as described here ( > https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS). > Does the Qpid web console actually do any cross-origin requests that would > require a pre-flight request ( > https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request)? > > I didn’t think it did, but I certainly could be wrong. > > -- > Tom > > From: Mantas Gridinas <mgridi...@gmail.com> > Reply-To: "users@qpid.apache.org" <users@qpid.apache.org> > Date: Thursday, July 15, 2021 at 10:50 AM > To: "users@qpid.apache.org" <users@qpid.apache.org> > Subject: Re: [Broker-J] Http management interface should ignore OPTIONS > method > > Sadly options request is necessary for browsers to assert whether or not > the result of a request should be exposed to caller, isn't it? > > On Thu, Jul 15, 2021, 17:47 Tom Jordahl <tjord...@adobe.com.invalid > <mailto:tjord...@adobe.com.invalid>> wrote: > > Hello Devs, > > In our environment we run security scanning tools. They flag any HTTP > port that supports the OPTIONS method as a problem: > “Web servers that respond to the OPTIONS HTTP method expose what other > methods are supported by the web server, allowing attackers to narrow and > intensify their efforts.” > > I don’t see Qpid having any need to support this method, so I have filed a > bug with a patch that blocks the OPTIONS method: > https://issues.apache.org/jira/browse/QPID-8552. I would love to have > this patch in the next 8.x release of Broker-J. > > Thoughts? > -- > Tom > > >
