Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AbstractSockJsService.checkAndAddCorsHeaders fails for same origin requests when setAllowedOrigins is set [SPR-12660] #17260

spring-issuemaster opened this issue Jan 23, 2015 · 2 comments


None yet
2 participants
Copy link

commented Jan 23, 2015

Rob Winch opened SPR-12660 and commented

If the StompEndpointRegistry.setAllowedOrigins does not contain "*", then any requests made from the same domain will be rejected (i.e. it is only possible for an external domain to work).

This is due to the fact that that if a request made from the same domain, the browser does not add the "Origin" header. That means that checkAndAddCorsHeaders will reject the request.

Affects: 4.1.4

Reference URL:

Issue Links:

  • #16841 Add Simple way of whitelisting origin
  • #17295 Javascript error with SockJS when using iframe-htmlfile + IE8
  • #17296 Add CSP 1.1 frame-ancestors support
  • #17294 Add same origin support to SockJS and WebSocket

Referenced from: commits cc78d40, 9b3319b

0 votes, 5 watchers


This comment has been minimized.

Copy link
Collaborator Author

commented Jan 27, 2015

Sébastien Deleuze commented

Rob Winch Could you please have a look to this fix and send me your feedback? In addition to AbstractSockJsService.checkAndAddCorsHeaders(), I also modified OriginHandshakeInterceptor.
With the new behavior, the request succeeds when no Origin request header is found, regardless of the allowedOrigins property.

Please also notice that browsers are not consistent with Origin headers for same origin requests. For example in my tests based on spring-websocket-portfolio, Chrome set the Origin header for same origin Ajax requests, but Firefox does not. Thats means that you can't rely on the Origin request header to know if this is a cross or same origin request. As a consequence, IMO when you do not want to restrict allowed origins, * remains the only relevant default value. Do you agree ?


This comment has been minimized.

Copy link
Collaborator Author

commented Feb 9, 2015

Sébastien Deleuze commented

Resolved in master with this commit that implements the following changes:

  • Requests without Origin header are not rejected anymore
  • Disable Iframe when allowedOrigins is not empty and not equals to *
  • The Iframe is not cached anymore in order to have a reliable origin check
  • allowedOrigins must not be null or empty
  • allowedOrigins format is now validated (should be * or start by http(s)://)

Juergen Hoeller It is ready to be merged in the 4.1.x branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.