Permalink
Browse files

added option to disable cross site scripting headers

  • Loading branch information...
1 parent 07f6f2f commit 7fd682cb55d94b6e54e3751438b4290a1d9ae166 @grobmeier committed Apr 3, 2012
Showing with 14 additions and 7 deletions.
  1. +14 −7 jjson-struts2/src/main/java/de/grobmeier/json/plugins/struts2/JsonResult.java
@@ -43,7 +43,9 @@
private String charSet = "UTF-8";
private boolean commentOutput = true;
-
+
+ private boolean allowCrossSiteScripting = true;
+
private String jsonResponse;
/** Default constructor */
@@ -79,11 +81,12 @@ protected void doExecute(String finalLocation, ActionInvocation invocation)
}
response.setHeader("Content-Disposition", "inline");
- // allows crosssite ajax - TODO: should be optional
- response.setHeader("Access-Control-Allow-Origin", "*");
- response.setHeader("Access-Control-Allow-Methods", "POST,GET");
- response.setHeader("Access-Control-Allow-Credentials", "true");
-
+ if(this.allowCrossSiteScripting) {
+ response.setHeader("Access-Control-Allow-Origin", "*");
+ response.setHeader("Access-Control-Allow-Methods", "POST,GET,OPTIONS");
+ response.setHeader("Access-Control-Allow-Credentials", "true");
+ }
+
PrintWriter writer = response.getWriter();
try {
if(this.jsonResponse != null) {
@@ -141,7 +144,11 @@ protected void doExecute(String finalLocation, ActionInvocation invocation)
public void setJsonResponse(String response) {
this.jsonResponse = response;
}
-
+
+ public void setAllowCrossSiteScripting(boolean allowCrossSiteScripting) {
+ this.allowCrossSiteScripting = allowCrossSiteScripting;
+ }
+
/**
* Set the character set
*

0 comments on commit 7fd682c

Please sign in to comment.