Nicola Ferraro created CAMEL-10913:
--------------------------------------
Summary: CORS header Access-Control-Allow-Credentials not managed
correctly
Key: CAMEL-10913
URL: https://issues.apache.org/jira/browse/CAMEL-10913
Project: Camel
Issue Type: Bug
Components: camel-http-common
Reporter: Nicola Ferraro
When a browser uses the "withCredentials" flag (not visible in HTTP request
headers), it accepts the response only if the
"Access-Control-Allow-Credentials" header returned by the server is set to
"true".
That header is not part of Camel standard cors headers, but it can be set in
the route. The problem is that when "Access-Control-Allow-Credentials" is set
to "true", the "Access-Control-Allow-Origin" header cannot be set to "*", which
is our default (https://www.w3.org/TR/cors/ - section 6.1, point 3).
Setting a value for the "Access-Control-Allow-Origin" header equals to the
"Origin" header of the request makes the trick, but this must be set per-route,
and *CORS must be disabled*.
Eg.
{code}
// do not enable cors
rest().get("/hello")
.route()
.to("direct:handle")
.setHeader("Access-Control-Allow-Credentials", constant("true"))
.setHeader("Access-Control-Allow-Origin", header("Origin"));
{code}
Otherwise the only option is setting a fixed allowed origin if you know it in
advance.
I wonder if we should add e.g. a ".corsAllowCredentials(boolean)" configuration
to handle this situation correctly, or another flag to reflect the origin
instead of returning "*".
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
