[Bug 62419] New: Avoid CORS Origin echoing by default

bugzilla Wed, 30 May 2018 14:25:57 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=62419


            Bug ID: 62419
           Summary: Avoid CORS Origin echoing by default
           Product: Tomcat 8
           Version: 8.5.14
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: hau...@acm.org
  Target Milestone: ----

As per a hint we got from network security of rub.de,


              response.addHeader(
                    CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
                    "*");

is more secure than plain origin echoing.

Therefore, the easiest to get there might be to set the default of 
cors.support.credentials = false ?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 62419] New: Avoid CORS Origin echoing by default

Reply via email to