David Handermann created NIFI-9241:
--------------------------------------
Summary: Review CORS Security Configuration
Key: NIFI-9241
URL: https://issues.apache.org/jira/browse/NIFI-9241
Project: Apache NiFi
Issue Type: Improvement
Components: Core UI, Security
Affects Versions: 1.14.0, 1.8.0
Reporter: David Handermann
Assignee: David Handermann
The NiFi Web Security Configuration includes a custom CORS Configuration Source
that disallows HTTP POST requests for Template Uploads. The works as expected
with direct access to the NiFi UI, but causes issues when attempting to upload
a template to NiFi through a reverse proxy.
When a web browser sends a template upload request that includes an unexpected
{{Origin}} header, the Spring CORS Filter returns HTTP 403 Forbidden with a
response body containing the message {{Invalid CORS Request}}. NIFI-6080
describes a workaround that involves setting a different {{Origin}} header.
The current approach as implemented in NIFI-5595 should be evaluated for
potential improvements to avoid this behavior when running NiFi with a reverse
proxy.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
