[
https://issues.apache.org/jira/browse/CXF-5017?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pieter Goddijn updated CXF-5017:
--------------------------------
Description:
When a CORS request header send with a comma delimited list of values without
whitespace, the regexp:
{private static final Pattern FIELD_COMMA_PATTERN = Pattern.compile(",\\w*");}
consumes (part of) the next item in the list.
The offending header in my case is (on a HTTP OPTIONS pre-flight check)
Access-Control-Request-Headers: authorization,content-type
which is eventually returned to the browser as:
Access-Control-Allow-Headers: authorization, -type
The result of which is Firefox refusing the cross-domain POST request following
this OPTIONS check
i couldn't find a reason why the {\\w*} part should be part of a comma
splitting regexp, changing the regexp to
{"," , ",\\b*" or ",\\s"} fixed the problem for me and would seem more logical
to me (but i'm not too familiar with the ins and out of CXF)
was:
When a CORS request header send with a comma delimited list of values without
whitespace, the regexp:
private static final Pattern FIELD_COMMA_PATTERN = Pattern.compile(",\\w*");
consumes (part of) the next item in the list.
The offending header in my case is (on a HTTP OPTIONS pre-flight check)
Access-Control-Request-Headers: authorization,content-type
which is eventually returned to the browser as:
Access-Control-Allow-Headers: authorization, -type
The result of which is Firefox refusing the cross-domain POST request following
this OPTIONS check
i couldn't find a reason why the \\w* part should be part of a comma splitting
regexp, changing the regexp to
"," , ",\\b*" or ",\\s" fixed the problem for me and would seem more logical to
me (but i'm not too familiar with the ins and out of CXF)
> CrossOriginResourceSharingFilter FIELD_COMMA_PATTERN mangles firefox headers
> ----------------------------------------------------------------------------
>
> Key: CXF-5017
> URL: https://issues.apache.org/jira/browse/CXF-5017
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6
> Environment: firefox
> Reporter: Pieter Goddijn
> Priority: Minor
>
> When a CORS request header send with a comma delimited list of values without
> whitespace, the regexp:
> {private static final Pattern FIELD_COMMA_PATTERN = Pattern.compile(",\\w*");}
> consumes (part of) the next item in the list.
> The offending header in my case is (on a HTTP OPTIONS pre-flight check)
> Access-Control-Request-Headers: authorization,content-type
> which is eventually returned to the browser as:
> Access-Control-Allow-Headers: authorization, -type
> The result of which is Firefox refusing the cross-domain POST request
> following this OPTIONS check
> i couldn't find a reason why the {\\w*} part should be part of a comma
> splitting regexp, changing the regexp to
> {"," , ",\\b*" or ",\\s"} fixed the problem for me and would seem more
> logical to me (but i'm not too familiar with the ins and out of CXF)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
