[ https://issues.apache.org/jira/browse/CXF-6444?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed CXF-6444. ------------------------------------ > CrossOriginResourceSharingFilter.java should not set Origin=* when > Credentials=true > ----------------------------------------------------------------------------------- > > Key: CXF-6444 > URL: https://issues.apache.org/jira/browse/CXF-6444 > Project: CXF > Issue Type: Bug > Components: JAX-RS Security > Reporter: Justin SB > Assignee: Sergey Beryozkin > Fix For: 3.0.6, 2.7.17, 3.1.2 > > > According to this: http://www.w3.org/TR/cors/#resource-preflight-requests > ...when Access-Control-Allow-Credentials: true is set, the response Origin: > must be the same as the request Origin (see bullet #7). > It doesn't say why in the RFC (that I could see), but I presume there are > security implications. -- This message was sent by Atlassian JIRA (v6.3.4#6332)