Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve CORS configuration #458

Closed
qbert2k opened this issue Jan 23, 2017 · 5 comments
Closed

Improve CORS configuration #458

qbert2k opened this issue Jan 23, 2017 · 5 comments
Assignees
@qbert2k
Labels
enhancement libs update, re-factroring, etc.
Milestone
CE 3.0.2

Comments

@qbert2k
Copy link
Contributor

qbert2k commented Jan 23, 2017

https://support.gluu.org/other/3630/insecure-response-with-wildcard-in-access-control-allow-origin/
@qbert2k qbert2k added the enhancement libs update, re-factroring, etc. label Jan 23, 2017
@qbert2k qbert2k added this to the CE 3.1.0 milestone Jan 23, 2017
@qbert2k qbert2k self-assigned this Jan 23, 2017
@qbert2k qbert2k modified the milestones: CE 3.0.0, CE 3.1.0 Jan 23, 2017
@yurem
Copy link
Contributor

yurem commented Jan 26, 2017

We uses this proxy filter which supports both Tomcat/Jetty CORS filters

qbert2k added a commit that referenced this issue Feb 15, 2017
@qbert2k
oxAuth #458
95173d0 
Improve CORS configuration
@yurem
Copy link
Contributor

yurem commented Feb 27, 2017

There is no these changes in 3.0.1 branch. We need to merge these changes into 3.0.2 branch

@yurem yurem modified the milestones: CE 3.0.2, CE 3.0.0 Feb 27, 2017
@yurem
Copy link
Contributor

yurem commented Feb 27, 2017

We need to add similar implementation to oxTrust too

qbert2k added a commit that referenced this issue Mar 9, 2017
@qbert2k
oxAuth #458
81cdd51 
Improve CORS configuration
@qbert2k qbert2k mentioned this issue Mar 9, 2017
Merged
@qbert2k qbert2k closed this as completed Mar 9, 2017
qbert2k added a commit that referenced this issue Apr 22, 2017
@qbert2k
oxAuth #458
fc16b56 
Improve CORS configuration
@qbert2k
Copy link
Contributor Author

qbert2k commented Apr 22, 2017

Done for 3.0.2 as requested.

@jschristie jschristie mentioned this issue May 14, 2017
Closed
@aliaksander-samuseu
Copy link
Contributor

aliaksander-samuseu commented May 16, 2017
edited
Loading

Hi, @qbert2k

I see that we still use this "Access-Control-Allow-Origin: *" header in responses both in 3.0.x and 3.1.x packages. It happens because of this part of Apache's configuration:

        <Location /oxauth/seam/resource/restv1/oxauth/userinfo>
                ProxyPass http://localhost:8081/oxauth/seam/resource/restv1/oxauth/userinfo retry=5 disablereuse=On
                ProxyPassReverse http://localhost:8081/oxauth/seam/resource/restv1/oxauth/userinfo
                Header set Access-Control-Allow-Origin "*"
#                Header set Access-Control-Allow-Headers "Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization"
                Order allow,deny
                Allow from all
        </Location>

I.e. this header is simply attached to all responses from /oxauth/seam/resource/restv1/oxauth/userinfo.

We also have same line set for "/oxauth" path:

        <Location /oxauth>
                ProxyPass http://localhost:8081/oxauth retry=5 disablereuse=On
                ProxyPassReverse http://localhost:8081/oxauth
                Header set Access-Control-Allow-Origin "*"
                Order allow,deny
                Allow from all
        </Location>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@qbert2k qbert2k

Labels
enhancement libs update, re-factroring, etc.
Projects
None yet
Milestone
CE 3.0.2
Development

No branches or pull requests
3 participants
@qbert2k @yurem @aliaksander-samuseu