Justin SB created CXF-6444:
------------------------------
Summary: CrossOriginResourceSharingFilter.java should not set
Origin=* when Credentials=true
Key: CXF-6444
URL: https://issues.apache.org/jira/browse/CXF-6444
Project: CXF
Issue Type: Bug
Components: JAX-RS Security
Reporter: Justin SB
According to this: http://www.w3.org/TR/cors/#resource-preflight-requests
...when Access-Control-Allow-Credentials: true is set, the response Origin:
must be the same as the request Origin (see bullet #7).
It doesn't say why in the RFC (that I could see), but I presume there are
security implications.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
