[
https://issues.apache.org/jira/browse/CAMEL-10913?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16171203#comment-16171203
]
Claus Ibsen commented on CAMEL-10913:
-------------------------------------
No 2.18.5 will be the last 2.18.x release and its currently being built.
> CORS header Access-Control-Allow-Credentials not managed correctly
> ------------------------------------------------------------------
>
> Key: CAMEL-10913
> URL: https://issues.apache.org/jira/browse/CAMEL-10913
> Project: Camel
> Issue Type: Bug
> Components: camel-http-common
> Reporter: Nicola Ferraro
> Assignee: Nicola Ferraro
> Fix For: 2.19.0
>
>
> When a browser uses the "withCredentials" flag (not visible in HTTP request
> headers), it accepts the response only if the
> "Access-Control-Allow-Credentials" header returned by the server is set to
> "true".
> That header is not part of Camel standard cors headers, but it can be set in
> the route. The problem is that when "Access-Control-Allow-Credentials" is set
> to "true", the "Access-Control-Allow-Origin" header cannot be set to "*",
> which is our default (https://www.w3.org/TR/cors/ - section 6.1, point 3).
> Setting a value for the "Access-Control-Allow-Origin" header equals to the
> "Origin" header of the request makes the trick, but this must be set
> per-route, and *CORS must be disabled*.
> Eg.
> {code}
> // do not enable cors
> rest().get("/hello")
> .route()
> .to("direct:handle")
> .setHeader("Access-Control-Allow-Credentials", constant("true"))
> .setHeader("Access-Control-Allow-Origin", header("Origin"));
> {code}
> Otherwise the only option is setting a fixed allowed origin if you know it in
> advance.
> I wonder if we should add e.g. a ".corsAllowCredentials(boolean)"
> configuration to handle this situation correctly, or another flag to reflect
> the origin instead of returning "*".
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
