[
https://issues.apache.org/jira/browse/JENA-652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14181563#comment-14181563
]
Osma Suominen commented on JENA-652:
------------------------------------
Having thought about this a bit, I think it's better for security to leave CORS
headers disabled by default, but it should be easy to enable them. Otherwise it
is possible for a malicious web page to perform SPARQL queries or updates on a
non-public Fuseki endpoint accessible from the browser (e.g. an endpoint
running on localhost or an intranet).
For example, in Virtuoso and 4store, CORS is disabled by default but can be
easily enabled:
http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VirtTipsAndTricksCORsEnableSPARQLURLs
http://4store.org/trac/wiki/SparqlServer#ConfigFile
> Fuseki SPARQL update endpoint does not set CORS headers on an OPTIONS request
> -----------------------------------------------------------------------------
>
> Key: JENA-652
> URL: https://issues.apache.org/jira/browse/JENA-652
> Project: Apache Jena
> Issue Type: Bug
> Components: Fuseki
> Affects Versions: Fuseki 1.0.1
> Reporter: Eetu Mäkelä
> Assignee: Andy Seaborne
> Priority: Minor
> Attachments: fuseki-cors.patch
>
>
> Fuseki does not return CORS Allow headers for an OPTIONS request on the
> update endpoint, thus disallowing SPARQL UPDATE requests to be made from
> HTML5 web applications.
> This can probably be fixed just by adding a call to
> {{setCommonHeaders(response);}} into the {{doOptions}} -method of
> {{org.apache.jena.fuseki.servlets.SPARQL_Update}}, identically to how this is
> handled in {{org.apache.jena.fuseki.servlets.SPARQL_Query}} .
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
