CORS for websocket breaks existing CORS Filter [SPR-11443] #16069
Description
Nils Rudolph opened SPR-11443 and commented
We have our own CORS Filter that applies CORS Headers to all responses.
Spring-websocket also sets the CORS Headers but for the Header "Access-Control-Allow-Origin" it adds the origin to the existing header again (e.g. "Access-Control-Allow-Origin" = "localhost:8080, localhost:8080").
The Browser does not accept these responses.
See http://www.w3.org/TR/cors/#access-control-allow-origin-response-header:
"In practice the origin-list-or-null production is more constrained. Rather than allowing a space-separated list of origins, it is either a single origin or the string "null"."
As Workaround we changed our CORSFilter and dont set the "Access-Control-Allow-Origin" for Websocket request and it works. But i think spring-websocket should either not set the "Access-Control-Allow-Origin" if it is already set or replace the existing value.
Affects: 4.0.1, 4.0.2
Issue Links:
- Undocumented auto CORS for websocket endpoint breaking existing CORS code [SPR-11437] #16063 Undocumented auto CORS for websocket endpoint breaking existing CORS code
- Regression: AbstractHttpMessageConverter does not set ContentType [SPR-11685] #16308 Regression: AbstractHttpMessageConverter does not set ContentType
- Improve Servlet 3 presence check in ServletServerHttpResponse [SPR-11712] #16334 Improve Servlet 3 presence check in ServletServerHttpResponse
Referenced from: commits 49d7bda